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Abstract 

We study breadth-first search (BFS) spanning trees, and address the problem of designing a 
sparse fault-tolerant BFS structure, or FT-BFS for short, resilient to the failure of up to two 
edges in the given undirected unweighted graph G, i.e., a sparse subgraph iT of G such that 
subsequent to the failure of up to two edges, the surviving part iJ' of FI still contains a BFS 
spanning tree for (the surviving part of) G. FT-BFS structures, as well as the related notion 
of replacement paths, have been studied so far for the restricted case of a single failure. It 
has been noted widely that when concerning shortest-paths in a variety of contexts, there is 
a sharp qualitative difference between a single failure and two or more failures [7]. Our main 
results are as follows. We present an algorithm that for every n-vertex unweighted undirected 
graph G and source node s constructs a (two edge failure) FT-BFS structure rooted at s with 
0(n®/^) edges. To provide a useful theory of shortest paths avoiding 2 edges failures, we take a 
principled approach to classifying the arrangement these paths. We believe that the structural 
analysis provided in this paper may decrease the barrier for understanding the general case of 
/ > 2 faults and pave the way to the future design of /-fault resilient structures for / > 2. 
We also provide a matching lower bound, which in fact holds for the general case of / > 1 and 
multiple sources S C V. It shows that for every / > I, and integer 1 < u < n, there exist 
n-vertex graphs with a source set S' C 1/ of cardinality a for which any FT-BFS structure rooted 
at each s G S, resilient to up to /-edge faults has edges. In particular, 

for / = 2 and cr = 1, a dual failure FT-BFS structure rooted at s must have f2(n®/^) edges in the 
worst case. Finally, we also consider the optimization variant for this problem, and propose an 
O(logn) approximation algorithm for constructing FT-BFS structures resilient to up to /-faults 
for any constant / > 1 and any source set S CV. 
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1 Introduction 


Background and motivation. Large network systems of electricity, telephony or communication 
are traditionally designed to withstand the possibility of a single failure in one of their components. 
This is partially justified by the optimistic view that a failure is a rare event. Yet, since in modern 
day huge communication networks several components may fail or malfunction at any given time, 
the restriction to single failure events mainly stems from the unfortunate fact that supporting the 
capability of coping two failures or more is, in many cases, considerably more complex than having 
to overcome just a single failure. For example, when considering the setting of shortest path in 
some underlying graph, it has been widely noted that there is a sharp qualitative and quantitative 
difference between shortest paths avoiding just one failure and paths avoiding two or more failures. 
We consider the structure of breadth-first search (BPS) spanning trees, and address the problem 
of designing dual failure fault-tolerant BFS structure, or FT-BFS for short. By this we mean a 
subgraph H of the given network G, such that subsequent to the failure up to two of the edges, the 
surviving part H' of H still contains a BFS spanning tree for the surviving part of G. 

Typical network design problems involve three types of objectives: (1) construction time (i.e., 
cost of the preprocessing phase) (2) quality of usage, i.e., efficiency of operations preformed in the 
constructed structure, and (3) the size of the constructed structure. The current work is motivated 
by settings in which objectives (2) and (3) play a dominant role. In particular, objective (2) is 
important in cases where using approximate shortest paths instead of exact ones (e.g., for routing), 
entails a high cost on the system and it is preferable to purchase a larger structure that will allow 
optimal operation (e.g., routing on shortest paths). Subject to objective (2), it is still desirable 
to construct (or purchase) the minimum cost structure satisfying the usability requirements (e.g., 
optimum routing). A typical motivation for this is a setting where the graph edges represent the 
channels of a communication network, and the system designer would like to purchase or lease a 
minimal collection of channels (i.e., a subgraph G' C G) that maintains its functionality as a BFS 
tree with respect to the source s upon failures in G. In such a context, the cost of computation at 
the preprocessing stage (i.e., objective (I)) may be negligible compared to the purchasing/leasing 
cost of the resulting structure. Hence, our key cost measure in this paper is the size of the fault 
tolerant structure that provides the exact shortest paths distance from a given source vertex s, 
and our main goal is to achieve sparse (or compact) such structures (our construction time is still 
polynomial in n). The notion of FT-BFS structure is closely related to the problem of constructing 
replacement paths and in particular to its single source variant, studied in [8] only for the single 
failure case. For a source node s, a target node v and an edge e G G, the shortest s — v path 
Ps,v,e that does not go through e is known as a replacement path. The replacement path problem 
requires to compute the collection Vs,v of all s — u replacement paths Ps,v,e for every failed edge e 
that appears on the s — v shortest-path 7r(s, v) in G. Note that a replacement path is, by definition 
restricted to a single failure event. Under this restricted setting, the replacement path Ps^v,e admits 
a rather convenient form, consisting of three segments: a prefix of the shortest-path 7r(s, v) up to 
some vertex b G Tr{s,v) occurring before the failing edge e, followed by a “detour” avoiding the 
path tt{s,v) (and in particular the failing edge e), and terminating with a suffix of Tr{s,v). This 
clean decomposition has led to the development of algorithms that compute the collection Vs,v 
efficiently (cf. P ITTl [2l IT71 [8]L A replacement path Ps,v,e is called new-ending if its last edge is 
different from the last edge of the shortest path 7r(s, v). Put another way, a new-ending replacement 
path Ps^v,e has the property that once it diverges from the shortest-path 7r(s, v) at the vertex b, 
it joins tt{s,v) again only at the final vertex v. It is shown in jinj that for a given graph G and 
source vertex s, a structure H P G containing a BFS tree rooted at s plus the last edge of each 
new-ending replacement path Ps^v,e for every e G G and u G U, is a single-failure FT-BFS structure. 
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This means that it suffices to focus on the new-ending replacement paths and pick a single edge 
from each of them (specifically, the last). Furthermore, by analyzing the special structure of the 
new-ending paths, it is shown therein that such a structure consists of edges where n is the 

number of vertices in the graph. This result is complemented by a matching lower bound showing 
that for every sufficiently large integer n, there exist an n-vertex graph G and a source s G y, for 
which every single failure FT-BFS structure is of size Since exact FT-BFS structures may 

be rather expensive, mm exploit the structure of replacement-paths to construct approximate 
FT-BFS structures with 0{n) edges for unweighted undirected graphs. 

Indeed, the convenient structure of the replacement paths has facilitated the development of 
solutions to many other related problems, such as dynamic algorithms for shortest paths and /- 
sensitivity distance oracles, capable of efficiently answering proximity queries following a /-failures 
event mm- Recently, distance sensitivity oracles have been considered for weighted and directed 
graphs in the single source setting [8]. An efficient construction of single source distance oracles 
for planar graphs is provided in pQ. 

Yet, this long line of results, heavily exploits the structure of the single failure replacement 
path, and is consequently limited to handling no more than one fault in the network. A natural 
goal is to generalize some of these results to settings with two or more failures. It appears that the 
main barrier for such an extension is rooted in the fact that the structure of a replacement path 
Ps,v,F avoiding an edge pair F is rather involved and no longer admits a nice decomposition as 
its single failure counterparts. Since understanding the structure of replacement paths and their 
interactions proved to be fundamental when designing fault resilient structures, understanding the 
structure Ps,v,F is key essential step for making the desired jump from a single failure to at least 
two, for many network design tasks. A remarkable breakthrough in this direction is obtained in 
[7], presenting the first 2-sensitivity distance oracle of size O(n^log^n), capable of answering 2- 
sensitivity queries in O(logn) time. Indeed, both the data structure and the query algorithm of 
m are considerably more complex than the single failure case studied in [5l [2] . An /-sensitivity 
distance oracle overcoming / > 1 failures is given in m- By using fast matrix multiplication, m 
yields the first sub-cubic time (randomized) algorithm for the replacement paths problem when the 
edge-lengths are small integers. Yet, despite the time efficient algorithm of m the understanding 
of the underlying structural properties of these paths is still lacking. 

We note that in certain cases the jump from one fault to multiple faults is quite natural and 
tractable. For example, in the setting of fault tolerant spanners for an arbitrary undirected weighted 
graph, it is shown in [1] that there exists a (polynomially constructible) /-vertex fault tolerant 
{2k — l)-spanner of size 0(/^fe-^^^ • log^”^'^^ n) and an /-edge fault tolerant {2k — l)-spanner 

of size 0{f for a graph of size n. A randomized construction attaining an improved tradeoff 

for vertex fault-tolerant spanners was shortly afterwards presented in [6j. 

Finally, observe that the dual-failure FT-BFS structure studied in this paper is limited in three 
senses: (1) it is rather dense, although it matches the lower bound, (2) it deals with a single source, 
and (3) it supports up to two edge faults. Given the density of the structure (i.e., (1)), one may 
claim that it may be better to use approximate structures as provided in m [13] for example, 
instead of exact ones. While this is true, we believe that it is still very important to understand 
the more fundamental exact problem first. The ’’theory” of paths avoiding two faults provided in 
this paper would surely be a key building block for designing approximate structures that avoids 
two faults (e.g., in the same manner that the theory of single fault replacement paths of m laid 
the basis for approximate structures avoiding single fault in mm)- In particular, we believe that 
understanding the single source case, beyond the single edge failure event, is an important milestone 
for designing fault tolerant structures under more generalized settings: One axis of generalization 
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is increasing the nnmber of supported sources, i.e., considering a setting where one is given a subset 
of sources S C V, and it is desired to provide a dual failure FT-BFS tree rooted at each source 
s € S. Multi-source FT-BFS structures, referred to hereafter as FT-MBFS have been studied in |in) 
for the case of a single edge (or vertex) failure and have been later shown to provide an important 
building block in designing sparse fault tolerant additive spanners, that provide a bounded additive 
stretch for all pairs in the graph under the failing of a single edge (or vertex) [13]. An additional 
axis of generalization is increasing the number of supported faults. A natural generalized structure 
is an /-FT-BFS which contains the collection of all single source replacement paths avoiding up to 
/ edges in the graph. Combining these two axes results in /-FT-MBFS structure, that for a given 
source set 5 C 1/ provides an /-FT-BFS structure with respect to each source s G S. We believe 
that the structural theory of dual failure replacement paths developed in this paper paves the way 
to understanding these generalized structures. Towards this end, we provide two results for the 
generalized setting, namely, lower bound constructions and approximability results, as elaborated 
in next paragraph. 

Contributions. We present an algorithm that for every n-vertex unweighted graph G and source 
node s, constructs a dual failure FT-BFS structure rooted at s with edges. The size analysis 

of the output subgraph requires a deep understanding of the various configurations that may be 
assumed by a replacement path avoiding two faults. An essential component in our analysis deals 
with the detour segment of the single failure replacement paths. While a tight universal upper 
bound on the size of /-fault FT-BFS structures for general / > 1 is currently beyond our reach, we 
do have several results for the case of / failures for any constant / > 1. In Section]^ we present a 
lower bound stating that for every cardinality of sources 1 < cr < n, there exists an n-vertex graph 
and a source set S' C 1/ where |S| = cr, for which any /-fault FT-MBFS structure for each s G S 
requires edges. Hence, for / = 2 and a = 1 the lower bound translates into 

j^(^5/3) efjgeg^ which matches our upper bound construction. Finally, note that while our upper 
bound algorithm matches the worst-case lower bounds, they might still be far from optimal for 
certain instances, see HD. Consequently, in Section we complete the upper bound analysis by 
presenting an O(logn) approximation algorithm for the Minimum FT-MBFS problem in which one is 
given a graph G = (V, E), constant integer / > 1, a source set S EV, and it is required to construct 
an /-failure FT-MBFS subgraph H of minimum size (i.e., number of edges). This approximation 
algorithm is superior in instances where the graph enjoys a sparse /-failure FT-MBFS tree (even 
linear in 0{n)), hence paying edges is wasteful. 

Theorem 1.1 (Upper Bound for dual failure FT-BFS) For every unweighted undirected graph 
G = iy,E) and source vertex s gV , there is a (polynomially time constructible) dual failure FT- 
BFS structure Ft <G G with respect to s, with edges. 

Theorem 1.2 (Lower Bound for /-failure FT-MBFS) For every constant f > I, n > o(l) 
and 1 < cr < n, there exist an n-vertex graph G{V, E) and a source set S C V of cardinality a 
such that any /-FT-MBFS structure for the source set S has edges. In 

particular, dual failure FT-BFS structures requires edges. 

Theorem 1.3 (0(logn)-approximation for /-failure FT-BFS) There exists a polynomial time 
algorithm that for every constant / > 1 and n-vertex graph G and source set S' C 1/ constructs an 
f-failure FT-MBFS structure H whose size (i.e., number of edges) is larger by a factor of at most 
0(logn) than the optimal structure H* (by Thm. 1 of fl^ . this is tight up to constants, assuming 
P / NP). 
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Preliminaries and notation. Given an unweighted undirected graph G = {V, E) and a source 
node s, let To{s) C G be a shortest paths (or BFS) tree rooted at s. Throughout, the edges of these 
paths are considered to be directed away from the source node s. For a path P = [ui,..., Ufc], let 
LastE(P) be the last edge of path P. Let |P| denote the length of the path and P[vi,Vj] be the 
subpath of P from Vi to Vj. For paths Pi and P 2 , Pi o P 2 denote the path obtained by concatenating 
P 2 to Pi. A vertex w is a divergence point of the s — v paths Pi and P 2 if rc G Pi H P 2 but the next 
vertex u after w (i.e., such that u is closer to v) in the path Pi is not in P 2 . Given an s — u path 
P and an edge e = (x, y) G P, let dist(s, e, P) be the distance (in edges) between s and e on P. 

Techniques and proof outline. For a source node s, a target node v and a pair P = {cj, C G 
of failed edges, the shortest s — v path Ps,v,F that does not go through the edge pair P is the natural 
extension of the well studied single failure replacement path. Thus, our dual failure FT-BFS structure 
must contain some replacement path Ps,v,F for every v G V{G) and every edge pair P C E{G). It 
is convenient to view the failing edges P = {e*, tj} as corresponding to two subsequent independent 
failing events where first the edge e* fails and later on, the second edge tj fails. If the first failing 
edge Cj does not lie on the s — v shortest-path 7r(s, v), then the replacement path Pa^v,{ei} is simply 
f{s,v). Otherwise, when e* G 7r(s,u), the replacement path Ps,v,{ei} consists of a prefix of f{s,v) 
followed by a detour Di avoiding f{s,v) (and ei), followed by a suffix of 7r(s,u). Gonsider now 
the second failing edge tj. Glearly, if tj is not on Ps,v,{ei} then the dual failure replacement path 
Ps,v,F remains as is, i.e.,Ps^v,F = Ps,v,{ei}- The interesting case is where tj G Ps,v,{ei}- This 
case is further divided into two subcases. In the first subcase, tj appears on either the prefix or 
the suffix segments of Ps,v,{ei}^ he., tj appears on Tr{s,v). A replacement path Ps,v,F protecting 
against two faults on f{s,v) is called hereafter a (tTjf)- replacement path. In the complementary 
subcase, the second failing edge tj appears on the detour segment Di, i.e., tj G Ps,v,{ei} \ '^(^j 'c)- A 
replacement path Ps,v,F for P = {ei,tj} where Cj lies on Tr{s,v) and the tj lies on the detour Di is 
called hereafter a (vr, D)-replacement path. Our algorithm for constructing the dual failure FT-BFS 
structure, Alg. Cons2FTBFS, carefully selects a replacement path Ps,v,F for every v G V and for 
every edge pair F C E. Essentially, for each vertex v, the algorithm constructs a subgraph P(u) 
consisting of the last edges of the replacement paths Ps,v,F, i-c., H{v) = |p |<2 LastE(Ps^^^i?) 

where LastE{Ps^v,F) is the last edge of the replacement path Ps,v,F- The final structure H is then 
given by taking the union, i.e., H = H{v). In the analysis section, we show that (a) taking 

the last edge of each replacement path is sufficient and (b) the size (number of edges) of each 
H{v) is bounded by 0(n^/^). A replacement path Ps,v,F is called a new-ending path if its last 
edge was not present in the structure at the time that the path was selected by the algorithm. 0 
Since only the last edges of the replacement paths are taken into the structure, it is required to 
bound the number of new-ending paths Ps,v,F- Indeed, the lion share of this paper is dedicated to 
bounding the size of H{v), which turns out to be significantly more involved compared to the single 
failure case of m- We first consider the simplified case where the two failing edges lie on 7r(s,u) 
and bound the number of new-ending (vr, 7r)-replacement paths by 0{y/n). This is shown by using 
a very similar argument to that of the single failure case. The most technically involved task is 
bounding the number of new-ending (tt, D)-replacement paths Ps,v,F- We classify these paths into 
two main classes. The first class consists of the paths Ps,v,F that do not intersect the edges of the 
detour of the replacement path protecting their first failing edge. A new-ending path in this class 
has the following structure: it diverges from the shortest-path tt(s, v) at some vertex b (above the 
failing edge e*) and joins tt{s,v) again only at the final vertex v, without intersecting the detour 

^Note that in |10| . a path is new-ending if its last edge is not in the initial BFS tree To(s). Here the definition is 
more strict and depends on the time step in which the path was considered by the algorithm. Yet, since the initial 
graph Hq used by the algorithm at step 0 contains the BFS tree To(s), a new-ending path in the current definition, 
is also new-ending according to the definition of [TU] (but not vice-versa). 
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Di at all (see Fig. [^d)). The second class consists of new-ending paths Ps,v,F that intersect their 
detour Di in at least one edge. Any path in this class has the following structure: it diverges from 
the shortest-path 7r{s,v) at the first vertex of the detour Di, it then follows the detour Di up to 
some vertex c above the failing edge tj, and joins 7 r(s, v) and Di again only at the final vertex v. In 
other words, such a path has two divergence points: a unique vr-divergence point b where it departs 
from 7 r(s, v) and a D-divergence point c where it departs from Di (see Fig. ic)) 

We proceed by briefly outlining the proof for the single failure case, i.e., bounding the number 
of s — u new-ending Ps^v,{ei} paths by 0(^/n). We then consider the simplifying case where all 
replacement paths in G \ F are unique (there are no two equally shortest replacement-paths). 
Finally, we highlight the technicalities that arise in the general case (whose detailed treatment is 
deferred to Section . 

Recap for the single failure case and first attempt. Assume that all shortest-paths are 
computed according to a weight assignment W that guarantees the uniqueness of the shortest-paths 
(i.e, breaking ties in a consistent manner). Consider the collection Pi,... ,Pt oi s — v new-ending 
replacement paths where Pi = Ps,v,{ei} for G '7r(s, v) and every path Pi ends with a distinct edge 
of V, i.e., LastE(Pj) 7 ^ LastE(Pj) 7 ^ LastE( 7 r(s, u)) for every i,j G {1,..., *10 We now bound t by 
0{y/n) and as there are n vertices, overall there are total of 0(re^/^) edges in a FT-BFS structure 
that contains the last edges of all replacement paths. For every path Pi, let bi be the unique 
divergence point from Tr{s,v). The following observation is crucial in this context. 

Observation 1.4 The sujfixes Pi = Pi[bi,v] \ {u} are vertex-disjoint, i.e., Pi n Pj = 0 for every 
i,j G {1,. . .,t}. 


Proof: Since bi is the unique divergence point of Pi from 7 r(s, v), it holds that PiriE{Tr{s, v)) = 0, for 
every i G {1,..., t}. Assume towards contradiction that there exists a common vertex w € Pi D Pj 
in the intersection. For an illustration see Fig. [^a). This implies that there two distinct w — v 
paths, namely, Pi[w,v] and Pj[w,v] in G \ E{'k{s,v)), leading to contradiction by the uniqueness 
of W. (Informally, since in this case the failing edge e* protected by Pi is not on Pj[w,v] and 
vice-versa, it implies that one of the last edges, namely, LastE(Pj) or LastE(P,) can be avoided in 
the structure.) The observation follows. | 


In particular, by Obs. |1.4t we have that the collection of divergence points bi,... ,bt are distinct. 
For an illustration see Fig. CTb). This allows us to order the paths Pi,... ,Pt in increasing distance 
between bj and v where dist( 6 i, u, G) < ... < dist( 6 t, v, G). For every j G {1,..., t}, we then have 
that \Pj\ > dist{bj,v,G) > j — 2. Finally, by exploiting the disjointness of the suffixes, we can 
bound the total number of vertices occupied by these suffixes, by n > | \J^j^iPj\ = \^j\ — 


^ j — 2 = II(P), hence t = 0{y/n). In addition, by Obs. 1.4, it also holds that t < dist(s, v, G) 


and hence the FT-BFS structure contains 0(min{-^/n, Dj • n) edges where D is the depth of the BFS 
tree. 


Unfortunately, when considering the dual failure case, the key observation, Obs. 1.4, fails to 
hold. Consider two dual failure new-ending replacement paths Pi = Ps,v,{ei,ti} arid Pj = Ps,v,{ej,tj} 
where t^ is on the detour segment of Ps,v,{ek} fo^ ^ ^ {bj}- la addition, since we only care 
for bounding the number of edges incident to v, these paths are selected so that each ends with 
a new and distinct edge, i.e., LastE(Pj) 7 ^ LastE(Pj) 7 ^ LastE(7r(s, u)). Let bi (resp., bj) be 


^The replacement-paths are computed according to the weight assignment W that breaks the shortest-path ties. 
Since only the last edges of each replacement-path are taken into the structure, in our analysis, we consider one 
representative replacement-path for each new edge incident to v. 
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the unique divergence point of Pi (resp., Pj) from 7r(s,u). By definition it holds that the suffix 
Pk = Pk[bk, v] \ is disjoint with 7r(s, v) for both k G Yet, in contrast to the single failure 

case, we can no longer show that these suffixes are disjoint. To see this, assume there exists a 
common vertex w in the intersection where w G Pi Ci Pj. In the single failure case, since both 
failing edges e* and ej lie on 7r(s, v), we had the guarantee that they do not appear on either of the 
segments Pi[w,v] and Pj[w,v]. Hence, in such a case, the two w — v subpaths Pi[w,v\ and Pj[w,v\ 
are interchangeable and safe to be used by both of the paths Pi and Pj (i.e., safe in the sense that 
they do not contain the failing edges of these paths). Unfortunately, in our case, since the second 
failing edge of Pj, namely, tj, is not on 7r(s,u) (but rather on the detour Dj), we no longer have 
such guarantee. Specifically, it might be the case that tj appears on the suffix Pi[w,v] and hence 
the subpath Pi[w, u] is no longer safe for Pj, which justifies the introduction of the two new edges, 
LastE(Pj) and LastE(Pj). For an illustration see Fig. [^c). This toy example illustrates that dual 
failure replacement paths may share many vertices, which makes the mission of bounding their 
number much less tractable. 



Figure 1: (a) The single failure case. The suffixes Pi = Pi[bi,v] are disjoint. The existence of 
a vertex w in the intersection implies that there are two safe routes from w to v (of the same 
lengths). Note that these routes are safe since they do not intersect with the edges of 7r(s,u). (b) 
The disjointness of the suffixes implies that the divergence points are distinct and hence can be 
ordered on the 7r(s, v) path in increasing distance from v. (c) The dual failure case. Shown are 
two (tt, D) replacement paths Pi = Ps^v,{ei,ti} Pj = Ps^v,{ej,tj} where ti G Di and tj G Dj. The 
suffixes Pi and Pj intersect at the common vertex w, however the subpath Pi[w,v] contains the 
failing edge tj and hence cannot be used by the path Pj. 

Easy case (1) : f-faults on 7r(s,u). To warm up, we proceed by claiming that the collection of last 
edges of the s — v replacement-paths protecting against at most / faults on the shortest path 7r(s, v) 
is bounded by 0[y/n). Consider the collection of s — u replacement paths Vv = {Ps,v,F \ F U 
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Tr{s,v), |F| < /} and let = {LastE(P) | P G Vy}- 
Lemma 1.5 \Ey\ = 0{y/n) for every v . 

Proof: Fix v and consider P', the collection of representative paths from Vy, each ending with a 
distinct last edge, i.e., LastE(P) / LastE(P') for every P,P' G P'. For every P G P', let d{P) 
be the last divergence point from 7r(s,w). We first claim that the suffix segments P[d{P),v] are 
vertex disjoint besides the common endpoint v. To see this, assume towards contradiction that 
there exists a mutual vertex w in the intersection of P[d{P),v] and P'[d{P'),v] for two distinct 
paths P, P' G Py. Since P and P' ends with a distinct last edge, and as d{P),d{P') are the last 
divergence points from 7r(s,u), we get that there are two distinct w — v paths in G \ E{tt{s,v)), 
namely, Pi = P[w,v] and P 2 = P'['w,v], contradiction to the uniqueness of the shortest-paths. 

We can then sort the paths P in in increasing distance of d{P) and v, and the argumentation 
follows the exact same line as for the single edge fault case (i.e., the i’th segment Pi[d{Pi),v] is of 
length at least i for every i G {1,...,|F1„|} and these segments are vertex disjoint). | 

Easy case (2) : small FT-diameter graphs. Let Df{G) = max{dist(s, u, G\F) | E E E,\F\ < /—1} 
be the f-FT-diameter of the graph G. We proceed by claiming that graphs of small /-FT-diameter 
have relatively sparse /-FT-BFS structures (i.e., BFS structures that are resilient against the failing 
of at most / edges.) Since it is sufficient to collect the last edge from each replacement-path (by 
the same argument as for the single fault case), we have the following. 

Observation 1.6 For every n-vertex graph G and source vertex s G L, there exists an /-FT-BFS 
structure H C G with 0((Zlj(G))-^ • n) edges. 

2 Notation 

Given a graph G = {V,E) and a source node s, let Tq{s) C G be a shortest paths (or BFS) tree 
rooted at s. Let 7r(s,v,To) be the s — v shortest-path in tree Tq, when the tree Tq = To(s), we 
may omit it and simply write 7r(s,v). Let r(u,G) be the set of v neighbors in G. Let E{v,G) = 
{(u,u) G E{G)} be the set of edges incident to v in the graph G and let deg(u,G) = \E{v,G)\ 
denote the degree of node v in G. When the graph G is clear from the context, we may omit it and 
simply write deg(u). Let depth(s,u) = dist(s,u,G) denote the depth of v in the BFS tree To(s). 
When the source node s is clear from the context, we may omit it and simply write depth(u). 
For a subgraph G' = {V, E') C G (where W C 1/ and E' C E) and a pair of nodes u,v £ V, 
let dist(u,u,G') denote the shortest-path distance in edges between u and v in G'. Assuming an 
edge weight function W : E{G) —)■ M"*", let SP{s, u*, G, W) be the set of s — Uj shortest-paths in G 
according to the edge weights of IT. If IT is a weight assignment that guarantees the uniqueness 
of the shortest paths, then we override the definition and let P = SP{u,v,G,W) be the unique 
u — V shortest path in G according to IT. Throughout, the edges of these paths are considered to 
be directed away from the source node s. The edges on any s — v path P are considered from the 
top s to the bottom v, hence an edge Ci G P is a above Cj G P if e* is closer to s then ej. For an 
edge e = {x,y) G To{s), define dist(s,e) = i if depth(x) = i — 1 and depth(y) = i. A vertex w 
is a divergence point of the s — v paths Pi and P 2 if tc G Pi n P 2 but the next vertex u after w 
(i.e., such that u is closer to v) in the path Pi is not in P 2 . We view the 7r(s,u) path from top 
(i.e., s) to bottom v. An edge e* is said to be above ej, if it is closer to s on the path 7r(s,u). A 
subgraph H is an /-FT-MBFS structure (multi-source FT-BFS) for G with respect to a source set 


7 



5 C F, iff dist(s, V, H \F) = dist(s, v,G\ F) for every vertex pair (s, f) G 5 x f/ and every failing 
sequence F F E, |F| < /. Single source /-FT-MBFS structures (with IS"! = 1) are referred to here 
as /-FT-BFS structures. In addition, /-FT-MBFS structures with ISj = 1 and / = 2 are referred to 
here as dual failure FT-BFS structures. 

A bit harder: the dual failure case with simplifying assumptions. We next sketch the size 
analysis for dual failure FT-structures, for a very degenerate case. We focus on vertex v G V and 
show that it has at most 0{n‘^^^) edges in the final structure H. The following notation is useful in 
our analysis. For every (tt, D) replacement-path P = Ps,v,{ei,u}-: let D[P) = Ps^v,{ei} \7r(s,u) be the 
detour segment of Ps^v,{ei} such that ti G D{P) (including the endpoints on 7r(s,r;)), let F{P) = 
{cipi} be the failing edges protected by P, Fi{P) = e* G 7r{s,v) and F 2 {P) = U G D{P). For two 
s — V (tt, D)-replacement paths Pi,Pj, we say that Pi interferes with Pj, if F 2 {Pj) G Pi\ D{Pi). 
The (tt, D) paths Pi,Pj are independent if Pi does not interfere with Pj and vice-versa. For a fixed 
V G V, define H{v) = {LastE(P 5 ^t,^i?) | F C E,\F\ < 2} as the collection of last edges of all 
s — V replacement-paths where Ps,v,F is the (unique) s — v shortest-path in G \ F. It is sufficient 
to consider one representative replacement-path for each new edge of v in H{v). Hence, assume 
throughout, that the last edge of each path in the collection of new-ending s — v replacement paths 
is distinct. Since bounding the collection of (tt, tt) replacement-paths (protecting against two edges 
faults on 7r(s, v)) is very similar to the single fault case, we restrict attention to the more technically 
challenging part of bounding (tt, D)-paths. We now bound H{v) in the special case obtained by 
making the following simplifying assumptions: (SI) all s — u replacement paths in G \ F are unique 
for every F C F, |F| < 2, (S2) the detour segments F* of the s — v single edge replacement paths 
Fg„{gj, Ci G 7r(s,r;), are edge disjoint, and (S3) all replacement-paths are independent. We then 
classify the (tt, D) replacement paths into two classes depending on whether or not they intersect 
their detour (i.e, the detour that protects their first failing edge and contains their second failing 
edge). Let Vnodet be the subset of replacement paths F that do not intersect the edges of their 
detours and let Vinter be the remaining paths. 

-paths that do not intersect their detour. To bound this class, it is sufficient to use 
assumptions (SI) and (S2). We begin by noting that each path Pi G Vnodet protects a distinct edge 
on 7r(s,u). Order these paths Vnodet = {Fi,... ,Pn} in increasing distance between s and Fi{Pj), 
i.e., 

dist(s, Fi(Fi)) < ... < dist(s, Fi(F^r)). Let e* = Fi(Fi) and M = \_N/2\. We now restrict attention 
to the set of first M paths Vm = {Pj \ 1 < / < Ff}. Let Vm = {F(F) | P G Vm} be the 
collection of their corresponding detours and let V{Vm) = {]d&Vm paths of Vnodet are 

classified into two classes depending on whether or not they intersect the edges of T>m- In a way 
similar to the proof of the single failure case, one can show that there are 0{y/n) paths in Vm that 
do not intersect the edges of Vm- Hence, it remains to bound the remaining paths in Vm- For 
every such path Fj, let a* be their last mutual vertex in V{Vm) \ Again, by the uniqueness of 
the shortest-path, we can show the following. 

Lemma 2.1 (a) Fi(Fj) / Fi{Pj) for every Pi,Pj G Vnodet ond hence by (S2) D{Pi) and D{Pj) 
are edge disjoint; (b) V{Pi[ai,v]) H V{Pj[aj,v]) = 0. 

We next classify the detours Di G Vm according to their lengths. A detour Di is expensive if 
\Di\ > Af/2, otherwise it is cheap. Next, the new-ending paths Pi G Vm that intersect Vm are 
classified according to the detour D{ai) on which a* (the last common vertex of Pi \ {u} and 
V{Vm)) appears. Then Pi is expensive (resp., cheap) if D{ai) is expensive (resp., cheap). Let 
Vcheap = {Pi G Vm I D{ai) is cheap } and Vexpen = {Pi G Vm \ D{ai) is expensive }. We next 
separately bound \Vcheap\ and \Vexpen\- 



Claim 2.2 \Vcheap\ = 0(\/n). 


Proof: 


Let Vcheap = UpiSPefteap 


Obs. 


2.1 


I'^cheapl — 


We now focus on some Pi and show that |Pj[®*w]| ^ M/2. First note that Pi[ai,v] and 7r(s,u) 
are vertex disjoint (except for the common endpoint v), as a* occurs after the unique 7r-divergence 
point of Pi from Tr{s,v). Hence, 


|P4“*w]| > dist(aj,u, (G\l/(7r(s,u)))u{u}) . (1) 

Let Dj = D{ai) G Vm be the detour protecting against the failing of the edge e^. Then, 

dist(xj, u, G \ {ej}) > dist{xj,v,G) > dist(ej,u) PM, (2) 

where the penultimate inequality follows as Xj appears above the failing edge on 7r(s, v) and last 
inequality follows by the fact that Dj G Vm- Since a* appears on a cheap detour Dj, we get that 
dist(xj,ai,G \ {fij}) < \Dj\ < M/2 , and combining this with Eq. Q, we get that dist(aj,u,G \ 
{cj}) > M/2. By combining with Eq. ([^, we get that overall ^]l — M/2. We therefore have 

that M/2-\Vcheap\ < \Vcheap\ < u. It follows that \Vcheap\ < 2n/M. Since clearly also \Vcheap\ < M, 
we have \Vcheap\ < min{M, 2n/M} < ^/^. The claim follows. | 


Claim 2.3 \Vexpen\ = 0{'n?/^). 

Proof: Let Vexpen = {Dj G Vm \ \Dj\ > M/2} be the collection of expensive detours, 2 = \Vexpen\- 
We now classify the expensive paths of Vexpen into z classes where each path Pi is mapped to the 
class of the detour Dj G Vexpen on which a* appears. For every Dj G Vexpen, let Vj = {Pi G 
Vexpen \ D{ai) = Dj}, and let Nj = \Vj\ be the cardinality of this set. 

We begin by bounding the number of vertices appearing in the expensive detours, let Vd = 
Up. ,ex>A/ I \Dj\>M/2 ^{Dj) be the vertices appearing on the expensive detours. By edge-disjointness 
of the detours (assumption (S2)), we get that | VqI > z- (M/2 —2). We now proceed by bounding the 
number of vertices appearing on the expensive replacement paths, Vp = UpiS-Pexpen '^{Di[ai,v\) \ 
{ai,v}. Note that for every expensive path Pi, its segment Pi[ai,v] is vertex disjoint (expect for 
its endpoints ai and v) with the vertex set Vd- Fix some j G {1,... ,z}, with Nj exp ensive paths 
Vj. We now claim that Vj = [Jp.^p. Pi[ai,v] contains Q{Nj ) vertices. By Cl. |2.ll the Pi[ai,v] 
segments are disjoint. Order the patUs of Vj in increasing distance of Oj from rli Since ai G Dj 
for every Pi G Vj and the Oj’s are distinct it holds that |V^j > {Nj — 1)^/2 and summing over 
all j (as the suffixes Pi[ai,v] \ {u} are disjoint) and using the Cauchy-Schwarz inequality, we get 
that |Vp| > Ylj=ii^j ~ 1)^/2 • Recall that the sets Vp and Vd are disjoint, and thus, we get that 
n > |Vp U VdI = |Vp| + |Vd| > - 1)V2 + z • M/2 = ^(M^G) . We get M = 0 {n^D)^ as 

required. | 

{tt, D)-paths that intersect their detour. We now consider the replacement-paths in Vinter 
that intersect the edges of their detour , under assumptions (S1-S3). For every Pi G Vinter, let 
Di = D{Pi), and Xi,yi G 'k{s,v) be the first (resp., last) vertices of the detour Di. Let bi (resp., c*) 
be the first divergence point of Pi and 7r(s,u) (resp., D{Pi)). Let Ci = Fi{Pi) be the first failing 
edge protected by Pi. It is easy to see that by the uniqueness of the shortest-paths, Xi = bi and 
Pi = 7r(s, Xi) o Di{xi, Ci) o Pi[ci,v\. That is, bi and Ci are unique divergence points from 7r(s, v) and 
D{Pi) respectively and thus the suffix Pi[ci,v\ is edge disjoint with 7r(s,u) and Di. In addition, 
since the detour segments are disjoint (by assumption (S2)), we have the following. 
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Observation 2.4 For every two paths Pi, Pj G Vinter, (1) Pi = P'j — 

are vertex disjoint. (2) If ei = ej then D{Pi) = D{Pj) and Ci ^ Cj. 


We now induce an (e, c)-ordering on the paths of Vinter, which can be viewed as based on treating 
ei and q lexicographically: For e* 7 ^ ej, we say that {ei,Ci) < {ej,Cj) if dist(s, e*,' 7 r(s, ?;)) < 
dist(s, Cj, 7r(s, n)). For Cj = ej, let (ei,Ci) < {ej,Cj) if dist(xi, Cj, Z)(Pj)) < dist{xi, Cj, D{Pi)). By 
Obs. 2.4, this is well defined. We next order the paths of Vinter in increasing (e,c) order. Let 
Winter = {Pi,..., Pi} where (ei, ci) < ... < {ei, q). By showing that F{Pj) ^ Pi for every i < j, 
we have that the lengths of the paths in the ordered set inter are strictly monotone decreasing. 


Lemma 2.5 |Pi| > ... > \Pi\ (or alternatively, if{ei,Ci) < {ej,Cj) then |Pj| > \Pj\). 


Proof: Let i < j £ {1, We begin by showing that F{Pj) ^ Pi. Recall that P^ = 7r{s,Xk) o 
Dk{xk,Ck) o Pk[ck,v] where Dk = D{Pk) for k G {i,j}- Let Xk,yk be the first (resp., last) vertices 
of the detour Dk for k G {i,j}- 

Since Pi diverges from 7 r(s, v) above which is not below ej , it holds that ej ^ P*. So, it remains 
to show that F 2 {Pj) ^ Pi- Assume towards contradiction that F 2 {Pj) = {qi,Q 2 ) occurs on Pj. First, 
assume that Di = Dj. Since P 2 (Pj) G Di and Pi[ci,v] is edge disjoint with Di (i.e. q is a unique 
divergence point from Di), it holds that F 2 {Pj) G Di\xi, c*]. By the ordering dist(xj, Cj) > dist(xj, Cj) 
and since Di[xi,Ci] C Di[xi,Cj] C Pj, we end with contradiction. Next, assume that Di 7 ^ Dj. We 
show that in such a case there are two q2 — v shortest paths in G\{F{Pi),ej}, namely, Zi = Pi[q2, v\ 
and Z2 = Dj[q2,yj] o 7 r{yj,v), hence leading to a contradiction by the uniqueness of the shortest- 
paths. First, note that since Pi is new-ending, indeed Zi 7 ^ Z2. Since e* is above ej on Tr{s,v), 
Ci ^ Z2 and since P 2 (Pi) G Di and E{Di) n E{Dj), it holds that F{Pi) ^ Pj. By the optimality 
of Pi and Ps^v,{ej} if holds that \Zi\ = \Z2\, leading to a contradiction by the uniqueness of the 
shortest-paths in G \ {P{Pi), ej}. 

Assume towards contradiction that |Pi| < |Pj|. Since Pi ^ Pj £ G \ F{Pj), we end with 
contradiction to the uniqueness of the s — v shortest paths in G \ F[Pj). | 


We now group the ordered paths Pi of Vinter into classes depending on their Cj-value (i.e., the 
first failing edge they protect in 7 r(s,rj)). For every vertex G 7 r(s,n), let Nk be the number of 
replacement paths in Vinter whose first failing edge is e^. Let z = |dist(s,n)|. By assumptions 
(S1-S3) and the ordering of Lemma 2.5, we get: 


Lemma 2.6 For every Pi 7 ^ Pj £ Vinter: (a) V{Pi[ci,v]) n V{Pj[cj,v\) = {u}. (b) //Pi(Pj) 7 ^ 
Fi{Pj), then Pi\bi,v] \ {bi,v} and Pj[bj,v] \ {bj,v} are vertex disjoint, (c) The total number of 
vertiees occupied by these paths is Ylk=i ^i)- 

Note that \Vinter\ = Hence, by combining this with Lemma | 2 . 6 K c), we get that there are 

0{p?D) such paths. This completes the analysis for the simplified case. 


Road map. We now provide a high level road map of the general proof of the upper bound without 
assuming (S1-S3). First, the algorithm needs to support the case where the replacement-paths are 
not unique and hence have to be carefully chosen. The guiding principle for selecting the desired 
replacement paths is to favor replacement-paths that diverge from 7r(s, v) as close to s as possible. 
Among these, the algorithm favors replacement-paths that diverge from their detour segment as 
early as possible. Second, when removing assumption (S 2 ), one has to incorporate into the analysis 
the optional complex interactions between detour segments. The main structural theory developed 
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in this paper is meant to deal this complication. Hence, a crucial step for understanding the 
structure of dual failure replacement paths is the understanding of the structure of the detours. To 
do that, we focus on pairs of detours Di and Dj and classify their structural dependency into six 
classes (see Fig. [^. We then provide some simplifying rules for each class that are frequently used 
in our argumentation. Quite interestingly, understanding the pairwise relation between the detours 
was sufficient in order to obtain an understanding of the global picture (i.e., which might contain 
complex interaction between many detours). Finally, removing assumption (S3) entails another 
major complication in our analysis. In particular, when two paths Pi and Pj interfere, Lemma [2.6[ a) 
is no-longer guaranteed to hold. In our analysis, the set of interfering paths is further classified 
into two subsets by distinguishing between two types of interference, namely, n-interference and D- 
interference. We show that each of these two classes imposes different structural constraints which 
allow us to bound their cardinality. Our tool kit consists of two main components: (a) complete 
mapping of the pairwise interactions between detours and (b) a subgraph JC denoted hereafter as 
a kernel subgraph that contains the entire required information from G but has some convenient 
properties that facilitate the analysis. This structure is heavily based on the detour configuration 
machinery established in (a) (see Section 3.2). For every vertex u, the kernel subgraph fCy{P) is 
imposed on a given collection of detours V = {Di,..., Dt}. Clearly the set of relevant faulty edges 
of the (tt, D) replacement paths is given by the subgraph GyiV) = 7r(s, v) U {Di \ Di G V}. Quite 
surprisingly, we show that in order to analyze the structure of the new-ending (vr, D) replacement 
paths, it is sufficient to consider the subgraph JCy(V) which contains all the relevant faulty edges. 
The kernel graph is used, for example, to bound the number of replacement-paths that do not 
intersect their detours. For example, it is essential for establishing Lemma 2.2 and |2.3| without 
assuming (S2). We note that these tools might be used in further contexts to pave the way to 
the future design of /-fault resilient structures for / > 2. Equipped with these tools, to bound 
the number of new-ending (vr, D) paths, we employ the same high level strategy as taken for the 
single failure case: new-ending paths consume many vertices, and since the number of vertices is 
limited by n, the number of new-ending paths is bounded as well (as a function of n). To do 
that, we would like to show that every new-ending path has an nonnegligible number of distinct 
vertices, not appearing on any other path. The main technical question is to identify a subpath of 
the new-ending path that is guaranteed to be sufficiently long and disjoint from all others. Since 
our replacement paths may overlap and share many common vertices, towards achieving this goal 
we classify the new-ending paths into five classes and bound that size of each class separately. For 
schematic illustrations of this classification, see Fig. The size analysis of each class exploits the 
tools described above and provides a deeper understanding of the complex behavior of dual failure 
replacement paths. 


Beyond two faults. In the current analysis, a crucial step for understanding the structure of dual¬ 
failure replacement paths is the understanding of the detour structure of single failure replacement 
paths. The understanding of /-failure replacement paths becomes much less tractable as the number 
of faults / increases. Consider for example the case of / = 3. In this case, there are two types of 
detours: (1) Di detours, the detours of the single failure replacement paths, e.g., Ps,v,{ei}v) for 
Ci G 7r(s,u); and (2) D 2 detours, the detours of the dual failure replacement paths, e.g., Ps,v,{ei,tj} \ 
Ps,v,{ei} £ '^(■S) "v) and tj G Ps,v,{ei} \ '^('Sj v). It is then required to understand the interactions 

between two detours of type D 2 as well as the interaction between a detour of type Di and of type 
□ 2 . The generalization of (vr,7r) and (tt, D) replacement path classification in the case of 3 faults 
gives raise to the following classes: (a): (tTjTt, vr) replacement paths protecting against three faults 
on 7r(s, v)] (b) (tt, vr, Di) replacement paths protecting against two faults on 7r(s, v) and one fault on 
a detour of type Di; (c) (vr, Di, Di) replacement paths protecting against single fault on 7r(s, v) and 
two faults on Di and (d) (vr, Di, D 2 ) replacement paths protecting against single fault on Tr{s,v), 
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single fault on Di detour and single fault on D 2 detour. By using similar arguments to the single 
failure case, the edges added due to type (a) replacement paths can be bounded by 0(n^/^) (and 
this can be generalized to any / > 1 faults). The main difficulty arises when considering the other 
types, as this calls for a deep understanding of the interactions between detours of type Di and 
□ 2 . For a general integer / > 1, a detour D' is said to be of type Dj for j G — 1}, if 

there exists an j-failure replacement path Ps,v,F, F = {ei,..., ej} such that D' = Ps,v,F \ Ps,v,F' 
for F' = {ei,..., Cj-i}. It is then required to understand the interactions between detours of type 
Di,..., Df_i. An additional source of difficulty arises when attempting to generalize the notion of 
interference. In the dual-failure case, we considered two types of interference, namely, 7r-interference 
and D-interference and each such class called for different tools. In the case of general / > 1, one 
needs to consider many more options, e.g., interference of types (vr, vr, Di), (vr, Dj^,..., DjJ for 
ii, G {1,etc. Each such class may impose different structural constraints which 
would eventually provide the basis for bounding its cardinality. We note that the lower-bound 
construction of should give us some useful hints for attaining (hopefully a matching) 

upper bound. 


3 Description and Analysis of Algorithm Cons2FTBFS 

In this section, we establish Thm. o For useful notation, see Sec. We present an algorithm 
that given an unweighted undirected n-vertex graph G = {V, E) and a source s G E, constructs a 
dual failure FT-BFS subgraph H P G. We then analyze the correctness of the algorithm and bound 
the size of the output structure. The size analysis of the subgraph H constitutes the main technical 
contribution of this paper. 


Algorithm Cons2FTBFS. Let VF be a weight assignment that guarantees the uniqueness of the 
shortest-pathsj^ Let Tq = UusV rooted at s where 7r(s, v) is the shortest 

path from s to n in G, namely, 7r(s, u) = [s = uq, ui, ..., = n] = SP{s, v, G, W). 

For a sonrce node s, a target node v and an edge pair F = {cj, ej} G G, the shortest s — v path 
Ps,v,F that does not go through F is known as a replacement path. Thus, a dual FT-BFS structure 
contains the collection of all replacement paths Ps,v,F for every v G V{G) and every failed pair of 
edges F = {ei,ej} C E{G). Hereafter, we hx one vertex v and concentrate on constructing s — v 
replacement paths protecting against at most two failures in E{G). Algorithm Cons2FTBFS consists 
of three steps depending on the type of the faulty edges. See Fig. for a schematic illustration. 
First, it constructs a collection of paths Ps,v,F £ SP{s, v,G\F) where only one edge failure occurs, 
i.e., F = {e*} for every e* G 7r(s,u). The selection prefers the replacement path that diverges from 
f(s, v) as early as possible. Then, the algorithm considers the case where the two failing edges occur 
on 7r(s, v). Finally, letting Di = Pi \vr(s, v) be the detour segment of Pi = Ps,v,{ei} from 7r(s, v), the 
last step considers the case where the second failing edge occurs on Di. In this case, the procedure 
would attempt to construct a replacement path whose divergence point from f{s, v) is as close to s 
as possible and under certain conditions it imposes also the requirement that the divergence point 
from Di is as closest to s as well. Eventually, only the last edge of each replacement path is added 
to the construction. The following definition is nseful. For every a = {ui,Ui+i) G f{s,v), and 
fe G {0,..., z}, we would like to consider the possibility that Uk is the point where the replacement 
path protecting against a failure in e* diverges from tt{s,v). To enforce that possibility, for every 

^Note that the given graph is unweighted and the fractional weights of W only break the unweighted shortest-path 
ties in a consistent manner. 
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two vertices, Uk,U£ G 7r(s,r;), we define the graph 


G{uk,Ui) = {G\V {TT{uk,ue)) U {uk, r;} • 


( 3 ) 


that contains Uk and v but does not contain the other vertices on the segment TT{uk, un). Intuitively, 
for an edge e* = {ui, tfj+i) G 7r(s, v) and a vertex Uk G 7r(s, Ui), the first divergence point of the s — v 
replacement path P G G{uk, ui) \ {cj, ej} from 7r(s, v) is Uk- Since the divergence point from 7r(s, v) 
of any replacement path protecting against the failing of e* must occur above the failing edge e*, it 
holds that Uk G 7r(s,Ui). Analogously, an s — u replacement path P in G{uk,v) \ {ei,ej} diverges 
from 7r{s,v) at the point Uk and its last edge is not in 7r(s,u). In such a case, P[uk-,v\ and '7r(s,u) 
are edge disjoint. The algorithm would attempt to find the upmost divergence point Uk G 7r(s,Uj) 
such that G{uk,Ui) contains a replacement path for the failures ei,ej. 


(1) Single edge fault replacement paths. The first step considers single edge failure scenarios. Denote 
the collection of possible edge failures by T’^(7r) = {{cj} | e* G 7r(s, u)}. Let fco G {0,..., f} be the 
minimal index k satisfying that dist(s, u, Uj) \ {cj}) = dist(s,u,G \ {cj}). Define Ps^v,{ei} ^ 
SP{s, V, G{uko, Ui) \ {ci}, W). For each G let Di = Ps^v,{ei} be the detour segment 

of the replacement path chosen for e*. In Cl. 


3.4 


we show that Ps^v,{ei} = o Di o 7r(yj,u) 

where Xi (resp., yi) is the first (resp., last) vertex of Di and Ci G 7r{xi,yi). As mentioned earlier, we 
do not have to add the entire replacement paths to the constructed structure; we later prove that it 
suffices to add the last edge of each replacement paths. Let F^i(7r) = {LastE(P 5 „ {gi})) ^ x)} 

be the last edges of replacement paths protecting against faults in E{7r{s,v)). These edges will be 
added to the constructed structure. For every edge G 7r(s,v), let Di =G \ E{tt{s,v)) 

be the detour segment of Ps,v,{ei}- In Cl. 3.4, we show that Ps^v,{ei} can be decomposed into 
three segments such that Ps^v,{ei} — ^i) °Ei ° x) where Di = y*] is the detour 

segment. 


(2) Two faults on tt{s,v). The second step considers pairs of failures occurring both on tt{s,v). 
The collection of failure events considered is thus T'^(vr) = {F = {cj, ej} \ F C 7r(s, v)}. 

Without loss of generality, assume throughout that e* appears above ej on the path tt{s,v). Re¬ 
call that Di (respectively, Dj) is the detour segment of (resp., Ps^v,{ej})- Tbe procedure 

constructs the shortest path Ps,v,F £ SP{s, v,G\F) in the following manner. First the algorithm 
prefers a replacement path that is composed of the detours Di and Dj constructed at step (1). 
Specifically, if the intersection Did Dj / 0, then let w G Did Dj be the last point on Dj that is 
common to Dj. DeHnethepath P = 7r{s,Xi)oDi[xi,w]oDj[w,yj]o7r{yj,v). If|P| = dist(s, u, G\F), 
then let Ps,v,F = P- Otherwise, define Ps,v,{ei,ej} = SP{s, v,G\ {e*, Cj}, W). The set of edges to be 
added in this step is E 2 {f) = {LastE(Pg^^^i7’), F G P^(7r)}, the collection of last edges of replacement 
paths protecting against two edges faults on f{s,v). 

(3) One fault on Tr{s,v) and one on the detour. The third step considers the remaining (relevant) 

case where one of the failing edge e* occurs on the path 7r(s, v) and the second failing edge occurs 
on the detour segment Di. Hence, the collection of failure scenarios considered in this step is 
P^(D) = {{ei,tj} I ei G 7r(s, v),tj G Di}. We now order the pairs F = {ei,tj} G P^(D) in the 
following manner. Let Pj^ = and Pjj = {ei^,tj^}. If then let Pjj > Fi^ iff 

dist(s, Cji, G) > dist(s, 6*2, G). Else, if 6*^ = e*2, then we use the second coordinate t* to break 
the tie where Pjj > P*2 iff dist(a:j^, AJ > dist(xj2, tja; AJ where P*^ = Ps,v,{eij[xh,yh] is 
the detour segment of Ps,,;,{g.^}. Let !^„(P) = {Pi, P2,..., Pfc} be the ordering of the faulty pairs 
P,;(D) in decreasing order where Pi > P2 > ... > Pfc. 

Let Eq{v) = E{v,Tq) U Pi(7r) U p 2 (vr) be an initial collection of edges incident to v be added 
to the structure by steps (1) and (2). The algorithm considers the faulty pairs P according to 
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the ordering of where at step r > 1, given Er-i{v), it considers the pair Fr = [er,tr) G 

^^(-D) and computes the replacement path Ps,v,Fr ^ SP{s,v,G \ Fr) in the following manner. 
Let Gr-i{v) = {G \ F{v,G)) U Fr-i{v) be a subgraph of G in which the edges incident to v are 
only the edges of Fr-i{v). First, if there exists a shortest replacement path for Fr in Gr-i{v), 
namely, one that uses the edges of Fr-i{v), then no new edge of v should be introduced, he.. If 
dist(s, u, Gr-i(u) \ F,-) = dist(s, u, G \ Ft), then let = SP{s,v,Gr-i{v)\Fr,W). Otherwise, 

a new edge of v that is not in Fr-i{v) is essential for satisfying the pair Ft. The algorithm 
then aims to select a new-ending replacement path whose first divergence point br from 7r(s, v) 
is as close to s as possible. Let Xr be the hrst vertex of the detour Dr- The point br is found 
as follows. Let Ct = (uj.,.,define Uk G 7r(s,Mi^) as the closest vertex to s satisfying that 
dist(s, u, G{uk, v) \ Fr) = dist(s, v, G\ Ft). Then br = Uk and let F = SP{s, v, G{uk, v) \ Fr, W). If 
the first divergence point br of P from tt{s,v) is not Xr (i.e., the divergence point is not as that of 
Ps,v,{er} it{s,v)) then let Ps,v,Fr = P- Else, if br = Xr, the replacement path Ps,v,Fr is selected 
so that its unique divergence point from the detour Dr is as close to Xr as possible. To enforce 
that, let Dr = [xr = wq, ... ,Wq = yr] where the second failing edge is F = {wj,Wj+i), then for 
every j > 1 and every i G {0,..., j}, define 

Goiwi) = {G{xr,v)\V{Dr[we,yr]))'J{we} ■ ( 4 ) 

That is, an s — u replacement path in the subgraph Goiwi) \ Fr diverges from tt{s, v) at the unique 
point br and diverges from Dr at the point W£. Since the divergence point from Dr must occur 
above the second failing edge F it holds that G D[wo, Wj\. The algorithm computes a Ps,v,Fr path 
whose divergence point from Dr is as close to wq on the detour Dr as possible: let £ G {0,..., j} 
be the minimum index satisfying that dist(s, u, GD(rc£) \ Ft) = dist(s,u,G \ Ft). Let Ps,v,Fr = 
TT{s,Xr) O Dr[Xr,We] O SP{wi,V, Go{w() \ Ft, IT). Finally, let Fr{v) = Fr-l{v) U {LeiStE{Ps^v,Fr)} ■ 
This completes the description of the algorithm. 

Let = Ft (vr) U F^ (vr) U Ft(D) be the collection of single edge and edge pair failure events 
for which an s — u replacement path Ps,v,F was constructed. Let H{v) = UfsT" 
be the collection of last edges of all replacement paths in PgvF- Finally, the algorithm outputs 
H = U„e,- H(v) U To as the resulting dual failure FT-BFS structure. 

In this section, we show that the subgraph H, the output of Alg. Cons2FTBFS, is a dual failure 
FT-BFS structure and then bound its size. Recall that a path Ft = Ps,v,Fr F a (tt, 7r)-replacement 
path if its two failing edges appear on the tt{s,v) path, i.e., |Ft| = 2 and Ft C 7r(s,u). Otherwise, 
if the first failing edge e* appears on the 7r(s, v) path and the second failing edge tj appears on 
the detour segment F, of Ps^v,{ei}^ h is a (tt, D)-replacement path. Hence, step (2) constructs the 
collection of (tt, 7r)-replacement paths and step (3) constructs the collection of (tt, D)-replacement 
paths. 

An edge e G H is new if e G H \To, i.e, it is not part of the original fault free BFS tree Tq 
computed in G. A (vr, D) replacement path Ft = Ps,v,Fr F new-ending if Gt-i(u) did not satisfy 
the faults of Ft, i.e., LastE(FT) was hrst added to the constructed H{v) by Ft. In particular, 
for a new-ending replacement path Ft, we have LastE(FT) ^ Fq. Note that Alg. Cons2FTBFS 
adds only the last edge of new-ending paths to the structure. Hence, our goal is to bound the 
number of new edges in H. Let Mew(u) = P[{v) \ F(v,Tq) be the collection of new edges incident 
to V. Throughout, we focus on a single vertex v G V \ {s} and show that |New(u)| = 0(n^/^). 
For every e G New(u), let F(e) = Ft be the new ending replacement path that hrst introduced 
LastE(F) = e to H{v). To bound the size of New(u), we study the structure of new-ending paths. 
Let Pv = {F(e) | e G New(u)} be the collection of new-ending s — v replacement paths, each 

representing one distinct new edge from New(u). 
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Figure 2: Three types of replacement paths each constructed by a distinct steps of Alg. 
Cons2FTBFS. (a) Single edge failure e* G 7r(s,u). The algorithm selects the replacement path 
Ps,v,{ei} whose divergence point from 7r(s, v) is as close to s as possible. (Shown on the right hand 
side is another candidate path of the same length with a lower distinct divergence point, the was 
not chosen.) (b) Two edge faults both occurring on 7r(s,u). The corresponding replacement path 
Ps,v,{ei,ej} i^ay have two divergence points from 7r(s,u). (c) One edge fault Si is on tt{s,v) and one 
tj is on of the detour segment D*. The algorithm selects the replacement path Ps,v,{ei,tj} with the 
“highest” (closest to s) divergence points bi from 7t{s,v) and c* from the detour segment Di. (d) 
As in (c), only that the replacement path Ps^v,{ei,tj} does not intersect with its detour Di. 


15 





The following notation is useful in our setting. We view the 7r(s,v) path from top (i.e., s) to 
bottom V. An edge Cj is said to be above ej, if it is closer to s on the path tt{s,v). For vertices 
Ui,Uj £ 7r{s,v), we denote Ui < Uj if dist(s, ti*, G) < dist{s, Uj,G) (i.e., Ui appears on tt{s,v) before 
Uj). For a given edge pair F £ J^y and a replacement path P = Ps,v,F, let Fi{P) = e* be the first 
failing edge in F (note that this edge, by convention, is always on the shortest path 7r{s,v)) and 
let F 2 {P) be the second failing edge in F (if exists), where F 2 {P) might be either on tt{s,v) or 
on the detour segment Di of Ps,v,{ei}- Let F{P) = {Fi{P), F 2 {P)} be the two failing edges (i.e., 
P £ SP{s,v,G \ F{P))). Let D{P) = Di, be the detour segment protecting against the failing of 
the edge Fi{P) = ei £ 'k{s,v). Throughout, we assume Di = Ps,v,{ei}[xi-,yi]- We denote the first 
(resp., last) vertex of the detour Di by x{Di) (resp. y{Di)) , i.e., x{Di) = Xi and y{Di) = yi. 

Note that a replacement path Pi does not necessarily intersect with the detour D{Pi) (e.g., see 
Fig. gd)). Let h{Pi) (or bi for short) be the first divergence point of the path Pi from 7r(s,u). We 
denote this point as the -n-divergence point of Pi. If Pi intersects with its detour D{Pi), then let c{Pi) 
(or Ci) be the first divergence point of Pi from D[Pi). We denote this point by the D-divergence 
point of Pi- See Fig. [^c). 

3.1 Correctness 

The correctness analysis consists of two steps. First, we show the correctness of the construction 
of the replacement paths Ps,v,F by Alg. Cons2FTBFS. Then, we show that taking the last edge of 
every replacement path Ps,v,F for every v £ V and F £ Fy is sufficient for making H a dual failure 
FT-BFS structure. 

Lemma 3.1 For every v £V and F £ Fy, Ps,v,F £ SP{s, v,G\ F). 

Proof: Note that Ps,v,F is not necessarily in SP{s, v,G\ F, W). In particular, SP{s, v,G\ F, W) 
correspond to a unique replacement-path which may not be the one the we want. To establish 
correctness, we thus show that the replacement path chosen is indeed a shortest-path in G \ F. 
First, consider the case where Ps,v,F was constructed in step (1), hence F = {ei = (rtj,rij+i)} where 
Ci £ 7r(s, v). It is sufficient to show that there exists Uk £ vr(s, Ui), satisfying that dist(s, v, G{uk, Ui)\ 
Fy) = dist(s, V, G\Fy). This holds as by Eq. Q, G{ui,Ui) = G. Next, consider the case where Ps,v,F 
was constructed in step (2). Hence, Ps,v,F is a (vr, 7r)-replacement path. This case is immediate. 

Finally, consider the case where Ps,v,F is a (vr, D)-replacement path. Let r be the iteration 
in which the pair F = Fy = {ei,tj) was considered by the algorithm in step (3). It is sufficient 
to consider the case where Fy is not satisfied by the current graph Gy-i, i.e., the path Ps,v,F 
is a new-ending path. We first claim that there always exists an s — u new-ending path with 
a unique divergence point b from tt{s,v) that appears above the failing edge Cj G tt{s,v). Let 
P = SP{s, v,G\ Fy, W) and let b be the first divergence point of P and 7r(s, v). Assume towards 
contradiction that b is not unique and let b' £ P[b, u]n7r[6, u] be another divergence point. There are 
two cases. If G 7r(6,5'), then ^ 7r(5',u) and hence by the uniqueness of W, 7r(6',u) = P[b',v], 
contradiction to the fact that b' is a divergence point. Else, if e* G vr(6', v) (i.e., e* ^ 7r(6, 6')) then by 
the uniqueness of W, 7r{b, b') = P\b, b'\, contradiction to the fact that 6 is a divergence point. Hence, 
the divergence point b is unique and therefore it also holds that P = SP{s,v,G{b,v) \ Fy,W). If 
b Xy where Xy is the first vertex of the detour Dy = Ps,y,{ei}[xT-,yT\ (he., the detour segment of 
Ps,v,{ei}) then the correctness follows, since in this case the algorithm let Ps,v,Fy = P- It remains 
to consider the case where b = Xy. We claim that in such a case the path P has unique divergence 
point c from the detour Dy. Assume towards contradiction that there exists an additional common 
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point in the intersection w G {P[c,v] Pi ii*,-[c, ?/t]) \ {c}- Observe that tj G Dr[w,yr], as otherwise 
the path P' = P[s,t(;] o Dr[w,yr] o 7r{yr,v) is in SP{s,v,G \ F-r) and ends with an edge in Tq, 
contradiction to the fact that P^ was not satisfied by Gr-i{v). Therefore, tj G Dt[w, yr] and by the 
uniqueness of the weight assignment W it holds that P[c,w] = Dt[c,w], contradiction to the fact 
that c is a divergence point. Hence, c is a unique divergence point from Dr and thus P C Gd(c) 
(see Eq. Q). 

Letting tj = {qi,q 2 ), the algorithm then selects the closest vertex ui G Drlxr, gi] to Xr satisfying 
that dist(s, v, Go{ui) \ Fr) = dist(s, v,G\ Fr). Since by the above, this holds for at least one vertex 
c G Dr, correctness is established. | 

We now turn to show that taking the last edges of the constructed replacement path into the 
structure H is sufficient. 

Lemma 3.2 For every ei,ej G E and every vertex u G E, dist{s,v, PI \ {ei,ej}) = dist(s,u,G\ 
{ei,ej}). 

Proof: Assume, towards contradiction, that the claim does not hold. Let 

BP = {{v,F) \ V €V,F C E,\F\ <2 and dist(s, v,H \F) > dist(s, v,G\ F)} 

be the set of “bad pairs,” namely, pairs {v, F) for which the s — v shortest path distance in H \ F 
is greater than that in G\F. (By the assumption, it holds that BP ^ 0.) 

First, note that for every bad pair (v, F) G BP, it holds that F £ Fy and hence a replacement 
path Ps,v,F was constructed for it by Algorithm Cons2FTBFS. For each bad pair (v, F) G BP, define 
BE{v, F) = Ps,v,F \ to be the set of “bad edges,” namely, the set of Ps,v,F edges that are 

missing in H (due to the sparsification phase that maintains only “last” new edges). By definition, 
BE{v,F) 7 ^ 0 for every bad pair {v,F) G BP. Let d{v,F) = maXgg 5 £;(^ p){dist(s, e, be 

the maximal depth of a missing edge in BE(v, F), and let DM{v, F) denote that “deepest missing 
edge”, i.e., the edge e on Ps,v,F satisfying d{v,F) = dist{s, e, Ps^v,f)- Finally, let {v',F') G BP be 
the pair that minimizes d{v,F), and let ei = {ui,vi) G BE{v',F') be the deepest missing edge on 
Ps,v',F'i namely, ei = DM{v',F'). Note that ei is the shallowest “deepest missing edge” over all 
bad pairs (v, F) G BP. 

Claim 3.3 {vi,F') G BP. 

Proof: Assume towards contradiction otherwise and let Pi G S'P(s, uq , iL \ F'). By the contradic¬ 
tory assumption, |Pi| = |P<j,n,F'(^)'^i)l = dist(s, ui, G \ F'). Then, the path F 2 = Fi o ^') 

is in F \ F and in addition, IF 2 I = contradiction to the fact that {v, F') G BP. The claim 

holds. I 

If F' = (ej, ej) G Fvi, let F' = Ps,vi,F'- Else, since (ui, F') is a bad pair there must be an edge 
ei G F'n 7 r(s, v) as otherwise the path tt{s, vi) C H\F'. Since F' ^ Fy, it implies that 62 G F'\{ei} 
does not appear on the detour of F^^^ p. where F = {ei}. Therefore, F^^^ ^ G SP{s,vi,G \ F') 
and let F = F p. By the construction of F, LastE(F) G H{vi) G F, and therefore the deepest 

missing edge of (ui, F) must be shallower, i.e., d{vi,F) < d{v', F'). However, this is in contradiction 
to our choice of the pair [v', F'). The lemma follows. | 

We now provide two useful claims on the structure of the s — v replacement paths and begin by 
considering the replacement path F^ ^ ^gj protecting against single edge fault e* G f{s,v). 
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Claim 3.4 (1) Every Ps^v,{ei} can be decomposed into three segments such that Ps,v,{ei} = 7 r(s,Xj)o 
Di o TT(yi,v) where Di = Ps^v,{ei}[xi-:yi\ ^he detour segment, which is edge disjoint with 'k{s,v). 
(2) There is no alternative replacement path whose unique divergence point is closer to s than Xi. 

Proof: Begin with part (1). Let Cj = {ui,Ui+i) G 7r(s,n). Let Xi G TT{s,Ui) be the closest vertex 
to s satisfying that dist(s, n, G(xi, nj) \ {cj}) = dist(s,n,G\ {e*}). Then, Alg. Cons2FTBFS define 
Ps,v,{ei} = SP{s,v,G{xi,Ui)\{ei},W). We first claim that = '^{s,Xi). Since 7r(s, Xj) C 

G{xi,Ui), and 7r(s,Xi) = SP{s,v,G,W), it also holds that 7r(s,Xj) = SP{s,v,G{xi,Ui),W). The 
claim holds as Ps^vjsi} = SP{s,v,G{xi,Ui),W). Let y* G c] H 7r(s, n)) \ {xj} be the 

first vertex on Ps^vja} appearing after Xi that is in 7r(s, v). Note that by the definition of G{xi,Ui) 
and the fact that the failing edge is e*, it holds that y* G 7r(nj+i,n). Since 7r(yj,n) C G{xi,Ui), we 
have that 

7r(yi,n) = SP{yi,v,G,W) = SP{yi,v,G{xi,Ui),W) = Ps^vjePtlVhv]. 

Note that Xj is the unique divergence point as 7 r(xi, Ui) is not in Pg^vjei} and in addition for the first 
vertex y* in 7 r(s, v) appearing after Xj, it holds that the paths collide. Hence, Di n 7 r(s, v) = {xj, y*} 
where Ci G TT{xi,yi). Part (1) follows. Part (2) follows immediately by the construction of the 
algorithm. | 

For every replacement path P = Ps^v,F-, let b{P) be the first divergence point of P from 7 r(s,u). 
We call this point the vr-divergence point of P. For a (vr, D)-replacement path P = Ps,v,{ei,tj} 
that intersects its detour Di, let c(P) be the first divergence point of P from D^. We call this 
point the D-divergence point of P. Note that while the vr-divergence point is defined for every 
s — V replacement path, the D-divergence point is defined only for (vr, D)-replacement paths that 
intersect their detours. We conclude this section by showing that the vr-divergence point of every 
replacement path is unique. 

Claim 3.5 (1) Every {tt, D)-replacement path P = Ps,v,F has a unique f- divergence point b{P) 
from vr(s, v). 

(2) If P = Ps,v,F is also new-ending, then P[b{P),v] and vr(s,u) are edge-disjoint. 

Proof: Let F = = {er,tr} be considered at time r in step (3) of Alg. Cons2FTBFS. If Ps,v,Ft 

is new-ending, i.e., was not in Gr-iiv) \ FV, then the claim follows immediately by construction, 
since Ps,v,Ft is computed in G{uk,v) for some G F{s,Ur) where Cr = {ur,Ur+i) and hence Uk is 
the unique divergence point and Ps,v,FT[uk,v] and vr(s,u) are edge disjoint. 

It remains to consider claim (1) for the case where Ps,v,Ft is not new-ending, i.e., exists in 
Gr-i{v) \ Ft-. In such a case, Ps,v,Fr = SP{s,v,Gt—i{v) \ Fr,W). Let hi be the first divergence 
point of Pr = Ps,v,Fr and vr(s,u). Assume towards construction that there exists an additional 
divergence point 62 £ FV[ 6 i,u] n vr( 6 i,u) \ { 61 , u}. Since Pr is not a (vr, vr)-replacement path, its 
second failing edge tr is not in vr(s,u). There are two cases. If Cr G vr( 6 i, 62 ), there are two b 2 — v 
paths in Gr-i \ Fr, namely, F{b 2 ,v) and Pr\b 2 ,v], contradiction to the uniqueness of W. Else, if 
Cr G vr( 62 ) v)-, there are two bi — 62 paths in Gr-i{v) \ Fr, namely, vr( 6 i, 62 ) / FV[ 6 i, 62 ], leading to 
contradiction to the uniqueness of W again. The claim follows. | 


3.2 Structural properties of detours 

A crucial step for understanding the structure of the replacement path Ps,v,F protecting against two 
edge failure in G, is the understanding of the structure of the replacement path Ps,v,{ei} protecting 
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against single failure e* on 7r(s, v). In particular, it is important to understand the detour segments 
Di = Ps^v,{ei} \ ^('S) of these paths. 

In this section, we present some basic structural properties of detours, that will provide the tools 
for bounding the size of the final structure later on. For detour Di, recall that x{Di) (resp., y{Di)) 
is the first (resp., last) common vertex with tt. Throughout, we consider two detours Di,D 2 . For 
i G {1, 2}, dehne Xi = x{Di) and yi = y{Di). Let e* be the single edge on 7r(s, v) that the detour Di 
protects, i.e., such that Ps,v,{ei} = '^{s,Xi) o Di o 7r{yi,v). Hence, e, G TT{xi,yi) for i G {1,2}. Two 
detours Di, D2 are independent, V{Di)r\V{D2) = 0, otherwise they are dependent. We now provide 
a useful claim which follows by the fact that we use the weight assignment W that guarantees the 
uniqueness of the shortest-paths. 


Claim 3.6 Let wi,W 2 G Di Ci D 2 then Di [rci, W 2 \ = D 2 [tci, W 2 \■ 


Proof: For i G {1,2}, let e* = G 7 r(s,u) such that Ps,v,{ei} = '^{s,Xi) o Di o Tr{yi,v). 

By construction, Ps,v,{ei}[xiy''j] = SPixi,v,G \ 7r{xi,Ui+i),W) for i G {1,2}. Assume, towards 
contradiction otherwise, then it implies that there are two distinct wi — W 2 shortest paths in 
G \ 7r{,s,v), given by Di[wi,W 2 ] = SP{'Wi,W 2 ,G \ tt{s,v),W) for i G {1,2}, contradiction to the 
uniqueness of IT. | 


Throughout we consider the detour segment Di[xi,yi] to be directed away from xi, i.e., going 
from the starting vertex xi to the ending vertex yi. 


Note that by Cl. 3.6, every detour Di can be decomposed into three segments according to 


some dependent detour D 2 '. the noncommon prefix Di[xi,wi], the common segment Di[wi,W 2 \ = 
D 2 \wi,W 2 \, and the noncommon suffix Di[w 2 ,y\\. It is important to note that this does not 
necessarily imply that this common segment is used by the two detours in the same direction. In 
particular, it might be the case that the detours visit the common segment in opposite directions 
where Di = Di[xi,wi]o Di[wi,W 2 ]o Di[w 2 ,yi] while D 2 = D 2 [x 2 ,W 2 ]o D 2 [w 2 ,wi]o Di[wi,y 2 ], 

Di visits wi before W 2 and D 2 visits W 2 before wi). 


I.e. 


3.2.1 Detour configurations and ordering 

In this subsection, we consider the possible detours configurations of two detours Di and D 2 where 
xi < X 2 . These configurations depend upon the lexicographic order of xi,yi and X 2 ,y 2 - 

Definition 3.7 (Detours Configurations) 

(Non-nested): yi < X2. 

(Nested): xi < X 2 < 2/2 < 2/i- 
(Interleaved): xi < X 2 < yi < y 2 - 
(x-Interleaved): xi = X 2 < yi < y 2 - 
(y-Interleaved): xi<X 2 <yi = y 2 - 
({x,y)-Interleaved): xi < yi = X 2 < y 2 - 

For a schematic illustration of these configurations, see Fig. 
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Figure 3: Schematic illustration of the detours configurations. 

The (x, y)-ordering the detours. The (x, y)-ordering of a collection of detours T), namely, 
^ = {Di,...,Dt} is an ordering according to the lexicographic ordering of {x{Di),y{Di)) pairs. 
For ease of notation, let Xj = x{Di) and y* = y{Di). We say that {xi,yi) > {xj,yj), if x* > Xj and 
if Xi = Xj then yi > yj (i.e., deeper on 7r(s, v)). Then, in an (x, y) ordering the detours are ordered 
in decreasing order of their {xi,yi) pairs. I.e., xi > X 2 > .. ■ > x* and if Xj = Xj then Di precedes 
Dj (denoted by Di -< Dj) in the ordering iff y* > yj. 

Claim 3.8 If Di and D 2 are non-nested, then they are independent. Formally, if yi < X 2 then 
F»i nF»2 = 0. 


Proof: Assume towards contradiction there exists a common vertex w ^ Di n D2. See Fig. [^a). 
There are now two yi—w paths in G\{ei, 62 }, namely, Qi = Di\yi,w\ and Q2 = vr(yi, X2)oD2{x2,w\. 
By the optimality of Ps,v,{ei} both i G {1,2}, it holds that |(5i| = \Q2\- Hence, the path 
Q 3 = 7 r(s,yi) o Qi o D2[w,y2] o 7 r(y 2 ,u) is also in SP{s,v,G \ { 62 }), but its unique divergence 
point from 7r(s,u), namely yi, is strictly above X 2 , in contradiction to the selection of Ps^v,{e2} by 
Algorithm Cons2FTBFS (which was supposed to prefer the divergence point that is closest to s). 
The claim follows. | 

Claim 3.9 If D2 is nested in Di, then they are independent. Or, formally, if xi < X2 < y2 < yi, 
then Di D D2 = fJ). 

Proof: Assume, towards contradiction, that there is a common vertex w G Di n D 2 . Let ei = 
(mi,M 2 ) and 62 = {u 3 ,Ui). Clearly, 62 G vr[x 2 ,y 2 ]- We consider two cases depending on where ei 
resides. Case (1); ei ^ 7 r[xi,X 2 ]. In this case there are two xi — w paths in G \ { 61 , 62 } given 
by Qi = 7 r(xi,X 2 ) o D 2 [x 2 ,w] and Q 2 = L>i[xi,u)]. By the optimality of Di and D 2 , we get that 
IQil = \Q 2 \- Since xi appears strictly above X 2 , we end with contradiction the selection of Ps,v,{e 2 } 
by Algorithm Cons2FTBFS (which was supposed to prefer the divergence point that is closest to 
s). 

Case (2): 61 G 7r[xi,X2]. In this case, there are two w — yi shortest paths in G \ {61,62}), 
namely, Qi = Di[w,yi] C Pi and Q2 = D2[w,y2] o 7 r[y 2 ,yi] C P2. By the optimality of Ps,v,{ei} 
for both i G {1,2}, it holds that |Qi| = \Q2\- Note that Pi = SP{s,v,G{xi,ui) \ { 61 }, IF) 
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and P2 = SP{s,v,G{x2,U3) \ {62}, W). Since both Qi and Q2 exist in G{xi,Ui), it holds that 
Qi,Q 2 = SP{w, yi, G{xi, U 4 ), W) leading to contradiction. The claim follows. | 

Claim 3.10 If Di and D 2 are dependent such that D 2 < Di, i.e., xi < X 2 < yi < y 2 , then 

(a) ei G 7r[xi,a:2], if xi / X 2 , and 

(b) 62 G 7r[yi,y2], if yi 7^ 2/2- 

Proof: Let tc G Di H ZI2 be a common vertex (see Fig. [^c)). Assume that xi < X2- Clearly, ei = 
(ui,M2) G 7r[xi,?/i] and 62 = {u^^ua) G 7r[x2,y2]- Assume towards contradiction that ei ^ 7r[xi,X2]. 
In this case there are two xi — w paths in G \ {61,62}, namely, Qi = 7r(xi,X2) o D2[x2-,w\ and 
Q2 = Di[xi,w\. By the optimality of Ps^v,{ei}: for both i G { 1 , 2 } , it holds that |Qi| = |Q2 1 • Since xi 
is strictly above X2, we end with contradiction to the selection of Ps,v,{e2} by Algorithm Cons 2 FTBFS 
(which was supposed to prefer the divergence point that is closest to s). Consider (b) in case where 
Di and D2 are not ^-interleaved. Assume towards contradiction that 62 = (ua, ua) ^ 7r[2/i, 1/2], hence 
62 G 7r[x2,yi]. Note that in such a case, X2 / yi (i.e., Di and D2 are not (x, y)-interleaved). There 
are now two w-y2 paths in G\ {61,62}, namely, Qi = Di[w,yi]oTr[yi,y2] and Q2 = D2[w,y2]. By 
optimality, |( 5 i| = \Q2\- Since Qi,Q2 C G{xi,ua), it holds that Qi,Q2 = SP{'w,y2,G{xi,UA),W), 
leading to contradiction. The claim follows. | 


Dependent detours. For dependent detours Di,D 2 , let First(Di, D2) (resp., Last(Di, ZI2)) 
be the first (resp., last) vertex appearing on Di that is common to D2. Note that First(Zli, D2) 
might not be equal to First(D 2 ,Di) (in cases where the common segment Di n D 2 is traversed 
in opposite directions by the two detours). We distinguish between two types of dependent and 
interleaved detours Di and D 2 . Let xi < X 2 and let tci (resp., W 2 ) be the first (resp., last) vertex 
on Di that is common to D 2 . I.e., there is no vertex in Di[xi,wi]UDi[w 2 ,yi] that is in D 2 as well. 
Note that by Cl. 3.6, we have the guarantee that Di[wi^W 2 \ = D 2 [wi,W 2 ]- Yet, since the graph is 
undirected, the two detour might traverse the common segment in opposite directions. If dependent 
and interleaved detours xi < X 2 < yi < 2/2 use the common segment Di n D 2 in the same direction 
(equivalently, First(Di,D2) = First(Z)2, Di)) then Di,D 2 are fw-interleaved otherwise they are 
rev-interleaved. Note that dependent detours Di and D 2 which are (x, 2 /)-interleaved, always use 
their common segment in opposite direction. See Fig. [^for an illustration. Finally, we summarize 
the possible configurations of dependent detours. By Cl. |3.9|and [3.8[ we have the following. 


Claim 3.11 Let Di and D 2 be dependent detours. Then, (a) Di and D 2 are either x-interleaved, 
y-interleaved, {x,y)-interleaved, fw-interleaved or rev-interleaved. 

(b) //First(Z)i, D 2 ) 7 ^ First( 1 ) 2 , Di), then they are either rev-interleaved or {x,y)-interleaved. 


Excluded detour segmeut For detour Di, the segment a P Di an excluded segment with respect 
to Di (or Dj-excluded for short) if there exists no new-ending path P G 'P^, such that D[P) = Di 
and its second failing edge F 2 {P) G a. 

The next claim plays a major role in our analysis. It concerns interleaved, x-interleaved and 
(x, 2 /)-interleaved dependent detours Di and D 2 , where xi < X 2 . Letting w = Last(D 2 ,F>i) be 
the last point occurring on D 2 that is common to Di, denote by Li = Di\w,yi] as the suffix of 
Di segment (see Fig. |^a,b,c) and Fig. [^d)). The claim states that this Li type segment is 
Di-excluded segment of the detour, in the sense that there exists no P £ Py, such that D{P) = Di 
and its second failing edge F 2 {P) appears on Li. 
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(a) fw-Interleaved (b) rev-interleaved (c) (^.y)- 

Interleaved 


Figure 4: Three types of dependent interleaved detours, (a) fw-interleaved detours are dependent 
detour Di,D 2 that use the common segment Di[wi,'W 2 ] in the same direction, (b) rev-interleaved 
detours are dependent detour Di,D 2 that use the common segment Di[wi,W 2 ] in two opposite 
directions, (c) (x,y)-interleaved detours where X 2 = yi- The common segment Di[wi,yi] is used 
in opposite direction by Di and D 2 . 


Claim 3.12 Let Di and D 2 be interleaved, x-interleaved or {x,y)-interleaved dependent detours, 
i.e., such that xi < X 2 < yi < y 2 - Then, Di[w,yi] is Di-excluded where w = Last(Zl 2 ,Hi). 

Proof: Let Li = Di[w,yi] and assume towards contradiction that there exists P G such that 
D{P) = Hi and F 2 {P) £ Li. Let ei = Hi(H) (i.e., the edge ei is not an arbitrary edge that is 
protected by the detour Hi but rather the first failing edge of the replacement path P that is given 
by the contradictory assumption) and let Hi = 7 r[s,xi] o Hi o 7 r[yi,u] G SP{s,v,G \ {ei}) be the 
path protecting against the failure of ei. Observe that the edge ei appears on tt{s,v) before 02 - 
This is because by Cl. |3.10[ 2), it holds that 62 G 'x[yi,y 2 ] and ei G 7 r(xi,?/i). Since ei appears 
on 7 r{s,v) before 62 (i.e., ei is closer to s), it holds that b{P), the unique vr-divergence point of 
the new-ending path H from tt{s,v), occurs above ei and hence also above 62 (by Cl. Hi) such 
b{P) is guaranteed to exist). Since by Cl. |3.5K 2), P[b{P), u] is edge disjoint with 7r(s,'i;), we have 
that 62 ^ P and overall H C G \ {ei, 62 , H 2 (F)}. Consider an alternative (vr, 7 r)-replacement path 
P' = Ps,v,{ei,e 2 } ^ SP{s,v,G \ { 61 , 62 }), i.e., both the failing edges of P' occur on vr. Recall that 
H' was added to the construction during step (2) of Alg. Cons2FTBFS, i.e., before H was added 
in step (3). Hence, LastE(H) 7 ^ LastE(H') (since H is new-ending). We now consider two cases 
depending on whether or not the second failing edge H 2 (H) appears on the (tt, tt) replacement path. 

Case (1): F 2 {P) ^ H'. Since 62 ^ H, we get that both P and P' are two s — v shortest paths in 
G \ { 61 , 62 , H 2 (H)}. By optimality, |H| = |H'|. So we end with contradiction to the selection of H 
by the algorithm. 

Case (2): H 2 (H) = ( 171 ,^ 2 ) G H'. We now define the path H = 7r(s, xi)oHi[xi, u;]oH 2 [u), y 2 ]o 7 r(y 2 , i^)- 
Recall that w = Last(H 2 ,Hi) is the last point on H 2 and hence F 2 {P) ^ D 2 [w,y 2 \- Since by the 
contradictory assumption F 2 {P) is in the excluded region, i.e., F 2 {P) G Li = Di[w,yi], it holds 
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that F2{P) ^ P. Since step (2) of Alg. Cons2FTBFS attempts first to select P as the replacement- 
path for the pair F = { 61 , 62 }, by the fact that eventually another path, namely P', was selected 
as the replacement path Ps,v,{ei,e 2 }^ necessarily 

|P| > \P'\ . (5) 


We next bound the length of |P| and show its optimality, hence leading to contradiction. Since 
F2{P) = {qi, 92) £ P', there exist two s — q2 shortest-paths in G \ (ci, 62}, namely, Qi = 7r(s, xi) o 
Di\xi,q2\ and Q2 = P'{s,q2\. Note that 62 ^ Qi, since the divergence point xi is above it on 
'k{s,v). In addition, note that rc G Qi as 52 £ Di[w,yi]- By optimality of the paths Pi = Ps,v,{ex} 
and P' = Ps^v,{ei,e2}i IQil ~ \Q‘i\- Hence, 

\P'\ = \Q2\ + \P'[q2,v]\ = \Ql\ + \P'[q2,v]\ 

= dist{s, w,G\ {61,62}) + dist{w,q 2 ,G\ {61,62}) + dist(g'2, G \ {61,62}) 

> dist(s,u;,G\ {61}) + dist(u;,i;,G\ {62}) = w^]| + \Ps,v,{e2}[w,v]\ = |P| , 


contradiction by Eq. (5). The claim follows. 


I 


Note that for rev-interleaved or (x, y)-interleaved dependent detours Di and D 2 where xi < X 2 , 
the excluded segment Li C Di contains that shared segment Di n D2 (see the segments Di\wi, yi] 
in Fig. ib. c)). We have the following. 


Corollary 3.13 Let Di,D 2 be dependent {x, y)-interleaved or rev-interleaved detours where xi < 
X 2 - Then there exists no path P G P^ such that D{P) = Di and F 2 {P) G Di Cl D 2 . 


3.2.2 The kernel subgraph of detours 

For every vertex v, and a subset of (vr, D)-replacement paths P C Py, let V = {D{P),P G P} be 
the set of detours of these paths. Clearly the set of relevant faulty edges is given by the subgraph 
Gy(T>) = 7r{s,v) U {Di I Di G D{. In this section, we show that in order to analyze the structure 
of the new-ending (vr, D)-paths, it is sufficient to consider a subgraph JCy{'D) of Gy{'D), denoted 
hereafter as the kernel subgraph of the detours. When, v is clear from the context, we simply write 
JC{V). To define the JC{V) subgraph, we describe a construction procedure which gradually adds 
segments of detours Di gD according to some predefined ordering. Essentially, from each Di, only 
a certain segment D[xi,Wi] is added to JC{'D). We begin by describing the construction of JC{'D) 
and then establish some of its useful properties. 


The coustructiou of the keruel graph IC{D). The algorithm first (x,y)-orders the detours, 
resulting with ^ = {Di,... ,Dt} where Di ^ D 2 < < Dt- Initially set KP = 0. Let wi = yi. 

Add the Dfs in a sequential manner: at step i, we follow the detour Di and add its edges until we 
hit the first vertex Wi on Di that was already added to the kernel graph by the previous step. 
We then add only Di[xi,Wi] to the subgraph of Formally, at step i, the segment of Di[xi,Wi] 

is added to , where wi = yi and for every i > 1, Wi G Di is the first common vertex of Di 
and Hence, there exists some j < i, such that Wi G Dj[xj,Wj]. Let Kd = U Di[xi,Wi\. 

Finally, let 1C{V) = Kf = |Ji=i Di[xi,Wi]. 

Note that some of the detours Di of V are added completely to K.{V) (i.e., Wi = y{Di)) and 
others are added only partially, since one of their vertices has been added before. We refer to 
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these detours as truncated detours. Formally, a detour Di is truncated if Wi / yi, otherwise, it is 
non-truncated. For every truncated detour Dj, let Dj/ G P be some detour that precedes Dj in 
the ordering, i.e., j' < j and in addition, Wj G Dj'[xj',Wj>]. We call this detour the breaker of 
Dj, denoted hereafter by (the detour Dj might have several breakers, in such a case one is 

chosen arbitrarily). See Fig. [^a) for an illustration. 

The next key lemma shows that the kernel subgraph IC(D) consists of the faulty edges F2{P) 
for every new-ending path P whose detour D{P) is in D. 

Lemma 3.14 For every (vr, D)-replacement path P £Vv with D = D{P) G V and F2{P) = {qi, q2), 
it holds that D[x{D), q2] F IC(V). 

Proof: Let P G P,, be such that its detour D{P) G V was added to the kernel graph JC{'D) at step 
ti-^^. Let Di^ = D{P). There are two cases. If F 2 {P) G P*, tCjJ, then Pj, tCjJ C IC{V) and 
the claim holds. Hence, it remains to consider the case where F 2 {P) ^ tCjJ. See Fig. [^b) 

for an illustration. Note that in such a case, Di-^ is a truncated detour. 

Consider the maximal sequence Di^, ... ,Di^ where Di^ = ^{Di._^) for j G {2, ...,fe} such 
that k is the hrst index satisfying either that F2{P) G Dif,[xii^,Wi^.] or that Di^ is a non-truncated 
detour, i.e., it was added in its entirety to the kernel graph JC{'D). Since the first detour Di in the 
(x, y)-ordering was added in its entirety to the kernal, the terminating element in this sequence is 
well defined. 

We now prove by induction that for every j G {1,..., A;}, the following holds. 


(a) F 2 {P) G Di-, and for every j <k — l, 

(bl) Wi- G Pij, and in particular Wi- occurs on Di^ before the edge F 2 {P) (i.e., Wi- G Pq[xq, 9i]) 
(b2) Di^[wi^_-^,Wi.] C /C(T»), where Wi^ = xq. 


The base of the induction j = 1 holds by definition. Assume it holds up to j — 1 and consider 
j. We begin with part (a) and assume towards contradiction that F 2 {P) ^ Di.. By part (bl) of 
the induction assumption for step j — 1, it holds that G Pq and it appears on Pjj before the 

failing edge F 2 {P). Since D^. is the breaker of Di._.^, it holds that G Di.[xi.,Wi-]. Hence, Pjj 
and Di- are dependent. Let w' be the last point on D^. that is common to Pq. By the ordering of 


V, Xi. > X. 

into 
case, by Cl 


We distinguish between two cases. Case (1): x*. > Xi 


.J _ -ii- »»c v.iiouiii 5 uioi± ucuvvccii uvvw v.a,oco. yj-j. ^ . This case is further divided 

3 subcases depending on the value of y^. with respect to yi^. Case (1.1): yi^ = In this 
yij = Pj.[rcj _^,yi-]. This is in contradiction by part (bl) for step j, as 


Pq K 


3.6 

F2(P) G 
Case (1.2): yi^ < yi 


T/iJ and hence F 2 {P) G D^.. 

Then Pj is nested in Pjj, hence by Cl. 


3.9 


they are independent, in 


contradiction to the existence of a common vertex Case (1.3): yi- > yi^. First, observe 

that since F 2 {P) G Pq [rcj . j, yij, by Cl. 


3.12 


it holds that D 


*1 


and Pjj are neither rev-interleaved 


not (x, y)-interleaved. Hence, Pj^ and Pj 2 are fw-interleaved. By Cl. 


3.12 


there exists no P' 


with D{P') = Di^ and F 2 {P') G Piju;',yq], i.e., there are no failures in Pj^ after w'. Since 
F 2 {P) G Di^ \ Di. and it appears on Pjj after the common segment Di^ n Di., it holds that 
F 2 {P) G Pq[r(;',yq], leading to contradiction. 

It remains to consider Case (2) where Xj^ = x*. (i.e., Pj^ and D^. are x-interleaved). By the 


ordering of V, it holds that < yi., and hence by Cl. 3.6, Pq[xq,r(;'] = D j. [x;^. , w'\ . By the 

Hence, part 


contradictory assumption, F 2 {P) G PjJuj'jyq], leading to contradiction by Cl. 
(a) of the induction hypothesis holds. 


3.12 
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We now turn to part (bl). Since j < A: — 1 , by the stopping criteria of the sequence, it holds 
that F2{P) was not included in the prefix taken from Di., i.e., F2{P) ^ Di. [xij,Wi^]. So by part (a), 
F2{P) G Dij[wij,yi.] (i.e., F2{P) appears on Di. after w^). Since Di. is the breaker of Aj_i, 
it holds that Wi._.^ G Di.[xi.,Wi.]. Hence, Wi 
assumption, Wi._.^ G Dq and by definition, qi G By Cl. 
in particular, Wi- G Dq as well. By the part (bl) of the induction assumption, F2{P) occurs on 
Hjj after Wi.^. By the fact that Wi 


Pij[wij_^-,qi\- By part (bl) of the induction 


3 . 6 , AiK,_i,g2] = so 


7-1 


G Di^[xi.,Wi- 


and A(H) G Di.[wi.,yi-], it also holds that 
F2{P) occurs on Di. after Wi._.^. Hence, we conclude that the common segment Ai j 92] of 
these detours is used in the same direction: from to q2 via Wi.. Therefore, Wi. appears on 

Ai before the failing edge ^(P), so (bl) holds. 


Finally, consider part (b 2 ). By part (bl) for steps j — 1 and j, we have that Wi-^ 


.Wi 


n- 


By the definition of the detour Di. 
that D, 


it also holds that Wi._.^,Wi. G Di.. Hence, by Cl. 


3_i, Wi.] = Di^ [wi._.^, Wi^]. Since Di^ [wi._.^, Wi^] C Di. [x 
Di.^[xi.,Wi.] was taken into the kernel, i.e., Di.^[xi.,Wi. 


■j L^b- 


^ gA 

it holds 
, uij. ], we have that the prefix 


3.6 


C K,{'D), so (b 2 ) holds as well. 


We are now ready to complete the proof of the lemma. Since P2(P) G Pjj. and in particular 


P2(P) G A, 


], we get that P2(P) is in /C(P). By part (b 2 ), we have that for every j < A: — 1 , 


Di.^[wi._^,Wi^] C 1 C{V). Combining this with the fact that P4, 92] P Di^^[xi^,Wi^] was also 
added to JC{'D), we get that 

Di^[xij^,Wi^] o Di^[wi^,Wi^] o ...o Pq[w4_2,teifc_i] o , ^2] = Pji[xji,g2] C /C(P). 

The claim follows. | 


3.3 New-ending paths protecting against two edge faults 

In this section, we turn to present several properties of new-ending paths P^ (i.e., that were not 
contained in Gt—i{v), and hence introduced LastE(PT-) to the subgraph H{v)) and then classify 
the set of new-ending paths Vv into five path classes. 

3.3.1 Properties of new-ending replacement paths 

The following claim summarizes some basic properties of new ending (vr, D)-replacement paths that 
are useful in our analysis. It states that for every new-ending (vr, D)-path P^, the vr-divergence point 
b{Pi) and the D-divergence point c{Pi) (if exists) are unique. 

Claim 3.15 Let Pr = Ps,v,Fr £ FP{s, v, G\Ft-) be the new-ending (vr, D)-replacement path added in 
step T of Alg. Cons2FTBFS (i.e., it was not contained in the graph Gt-i{v) defined in step 3 of the 
algorithm. Recall that Pi(Pr) = G tt{s, v), P 2 (Pr) = p G D^ and Dr = [xr = vq, vi,... ,Vk = yr] 
is the detour segment of Let br be the first divergence point of Ps^v,Fr from f{s,v). Then: 

(1) there is no alternative replacement path whose first divergence point from f{s,v) appears before 
br. 

(2) if br / Xr then E{Ps^v,Fr) C E{Dr) = 0. 

(3) if br = Xr, let Cr be the first divergence point of Ps^v,Fr from Dr. Then: 

(3.1) Ps^v,Fr = '^is,br)o Dr[xr,Cr]o Ps^v,Fr[cT,v] and Ps^v^Fricr, v] is edge disjoint with Dr Uf{s,v). 

(3.2) there is no alternative replacement path with divergence point br whose first divergence point 
from Dr appears on Dr before Cr (i.e., closer to Xr). 
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y\2. Yis 



Figure 5 : Schematic illustration of the kernel graph and its useful properties, (a) The kernel graph 
/C('D) where the detours T> = {Di, D2, D^, 1)4} are inserted in this order. For detour Di, the vertex 
Wi is the first vertex appearing in Dj[xj,Wj]. The dotted segments are not included in the 
kernel, hence D^lw^, 7/4] is not taken into the kernel. The detours Di and are non-trnncated and 
the detours D2 and are truncated. The detour Di (resp., D2) is the breaker of D2 (resp., D4). 
Hence, Di = T(D2) and D2 = (b) Illustration for Lemma 3 . 14 , Note that the seqnence of 

vertices is on getting closer to the failing edge F2{P). 
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Proof: Claim (1) follows immediately as the algorithm chooses the divergence point closest to s. 
Consider claim ( 2 ). By the definition of b^, vr(s, br) C P^. Recall that in the case where br 7^ Xr, 


Assume towards contradiction that b-j- 7^ Xr and yet E{Pr) H E{Dr) 7^ 0 . Let w G H Pr be 
a common vertex of Pr and Dr- First assume that w appears on Dr above the second failing edge 
tr- We show that in this case br = Xr- Since the algorithm defines Pr = SP{s, v, G{br, v) \ Fr, W), 
br is the unique divergence point of 7r(s, v) and Pr- If br is above Xr on 7r(s, v) then there are two 
distinct s — w shortest paths in G \ Fr, , namely, Qi = tt{s, Xr) o Dr[xr,w] and Q2 = Prls, rc]. By 
optimality of these subpaths, |( 5 i| = \Q2\, hence we end with contradiction to Claim 3 . 4 ' 2 ) for the 
path Ps^v,{ei}- Similarly, if br is below Xr we end with contradiction to Cl. 


3.15 


'1) for the path Pr. 
after the failing edge p. In this 
C Pr[br,v] 


w,v 


Hence, br = Xr- Next, consider the case where w appears on Dr 
case, we get that there are two distinct w — v paths in G \ Fr, namely, Qi = Pr 
and <52 = Dr[w,yr\ o 'i:{yr,v). By the optimality of these subpaths, |( 5 i| = \Q2\, in contradiction 
to the fact that Pr is new-ending. Finally, consider claim ( 3 ) where br = Xr- Alg. Cons2FTBFS 
selects the replacement path Pr whose closest divergence point on Dr and by the definition of this 
path, this divergence point is forced to be unique i.e., the edges of Dr[cr, yr] are omitted from the 
graph Gd(ct) in which Pr is dehned. Both parts of claim ( 3 ) follows. | 


We conclude this section, by providing a useful property for new-ending (vr, D) replacement 
paths P that intersect their detour D{P). The next lemma states that the D-divergence point c{P) 
of P and D{P) is distinct. 


Lemma 3.16 For every (vr, D)-paths Pi,P2 G Vv satisfying that E{Pi) n E{D{Pi)) 7 ^ 0 for i G 
{ 1 , 2 }, it holds that c{Pi) 7^ c{P2). 


Proof: Assume, towards contradiction, that there exists two (vr, D) new-ending paths Pi,P2 G Vv 
such that c{Pi) = 0(^2)- Let Ci = c{Pi),ei = Fi{Pi),ti = F2{Pi),Di = D{Pi), for i = {1,2}. Since 
Pi, P2 intersect with their detours Di and D2 respectively, it holds that ci G Di and C2 G D2, 
hence Di and D2 intersect at some point not after ci. First note that ei 7^ 62, because otherwise, 
Di = P>2 and since ti,t2 occur after ci, it holds that there are two distinct new-ending ci — v 
shortest paths in G \ {ei,ti,t2}, namely, Pi[ci,u] 7^ P2[ci,u], contradiction since the selection of 
the latter of them by Alg. Cons2FTBFS could have been avoided. 


From now on assume, without loss of generality, that ei is above 62 on ■k[s,v) (i.e., closer to 
s). Let w be the last vertex on Di that is common to P2- Since ei is above 62 and Di and D2 
are dependent (they share a common vertex ci), it holds by Cl. 3.8 and 3.9 that they are neither 
nested nor non-nested. Hence, we have that 


Xi<X2. 


( 6 ) 


(as otherwise by Cl. 3 . 10 [ 1 ), 62 G 7r(x2,xi) is above ei). We consider three cases. 


Case (a): ti,t2 G Pi H D2. Note that by Cor. 3 . 13 , Di and D2 are neither rev-interleaved nor 


(x, y)-interleaved (i.e., in such a case, w is also the last vertex on D2 that is common to Pi). By 
Cl. 3.15} 3.1), it holds that 7r(s, Xi) oDi[xi, c*] C Pj for i G {1, 2}. Hence ti and t2 occur on Pi nP2 
after ci, i.e, ti,t2 G Di[ci,w\ = P2[ci,'u;]. Note that since Pi and P2 are neither rev-interleaved 
nor (x, v/)-interleaved, by Cl. 3.11 , the common segment Di[ci,w\ is used by the two detours in the 
same direction. There are now two distinct new-ending ci — v shortest paths in G \ {ei, 62, ti, ^2}, 
namely, Pi[ci,u] and P2[ci,u] (these paths are distinct as LastE(Pi) 7^ LastE(P2)). This is again 
in contradiction to the selection of Pi by Alg. Cons2FTBFS, since it was constructed after P2, so 
its last edge could have been avoided. 
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Case (b): ti ^ Di\D2. Since ti appears on Di after the common vertex ci, yet it is not in D2, 
we get that ti appears on Di after the last common vertex with L>2, namely, w. In particular, 
ti appears on the non-common suffix Di[w,yi]. Hence, Di and D2 are neither y-interleaved nor 
(x, y)-interleaved (since in these cases, w = yi). Let w' be the last vertex on D2 that is common to 
Di. Note that Di[w,yi] C Di[w',yi] (I.e., if Di and D2 are rev-interleaved, w' is the first vertex 
on Di that is common to D2 and in other cases, where the common segment is used in the same 
direction by both detours, w = w'). By Eq. Q, Cl. 3 . 12 , and the fact that D{Pi) = Di and 


ti = F2{P), we get that ti ^ Di[w,yi], contradicting the fact that H G Di[w,yi]. 


By combining Eq. Q, the fact that the detours are 
3 . 13 [ it holds that Di and D2 are neither rev-interleaved 


Case (c): t2 € D2\ Di and ti G DiD D2. 
dependent and that ti £ Dir\D2 , by Cor. 
nor (x, y)-interleaved. Hence, by Cl. 3.11 b), the common segment Di n D2 is used in the same 
direction by both detours. In particular, w is also the last vertex on D2 that is common with 
Di. Since t2 occurs after the common vertex ci, in this case, t2 G D2[w,y2] and ti G Di[ci,w]. 
Since ci = C2 appears before the failing edge ti on Di, it holds that ti ^ P2- We now break case 
(c) further into two subcases. Case (cl): t2 ^ Pi[ci,v\. Then again there are two distinct ci — v 
shortest paths in G \ {61,62,^15^2}) namely, Pi[ci,u] and P2[ci,u], and we end with contradiction 
to the construction of these paths by Alg. Cons2FTBFS. 


Case (c 2 ): t2 G Pi\ci,v\. Let t2 = (zi,Z2) and recall that t2 G D2[w^y2]- We show that 
in such a case, there are two Z2 — v shortest-paths in G \ {61,62,^1}, namely, Q\ = Pi\z2,v\ and 
Q2 = D2[z2^ ?/2]o7r[y2, To see this, note that by Eq. (©, 62 ^ Qi- In addition, since ti ^ D2[w, ^2] 
and 61 ^ iT{y2,v) (as 61 is above 62), it also holds that 61, ti ^ Q2- By optimality of these subpaths 
(as Qi C Ps^v,{ei,ti} nnd Q2 C Ps^v,{e2})^ have that \Qi\ = \Q2\- We then end with contradiction 
to the selection of Pi by Alg. Cons2FTBFS (since the algorithm could have used the alternative 
s — V replacement path Pi[s, Z2] o Q2 in G \ P(Pi), which is not new-ending). | 


3.3.2 New-ending path classification 

Recall that the set = {P(6) | e G New(i;)} contains the collection of new-ending s—v replacement 
paths, each representing one distinct new edge from New(u). For every new-ending path Pi £ Vy, 
recall that D{Pi) = Di is the detour segment protecting the first failing edge Pi (Pi) G tt{s,v) of v 
and 6(Pi) is the unique 7r-divergence point of Pi. 

In this section, the new-ending s — v replacement path collection, Vy, is classified into five 
classes. The first class consists of new-ending (vr, vr) paths Ps,v,F protecting against two edge 
faults on Tr(s,v), i.e., F £ Fy(7r). The cardinality of this set is later bounded by 0 (^/n), using 
an argumentation that is similar to that of the single failure case m- The second class of paths 
'Pnodet consists of paths Pi £ Vy that do not intersect the edges of their detour Di at all, namely. 
Pi n E{Di) = 0 , as in Fig. [^d). For this class, it is shown that the first failing edge of any two 
paths in this class is distinct, i.e., Pi(Pi) / Pi(Pj) for every Pi,Pj £ Pnodet- This key observation 
is used to bound the cardinality of this class by 

The remaining set C of new-ending (vr, D) paths consists of paths Pi for which F[Pi) £ Fy{D) 
and Pi n E{Di) 7^ 0 , as in Fig. [^c). This set constitutes the main technical challenge in the 
analysis. To bound its cardinality, we would like to employ the same high level strategy: new- 
ending paths consume many vertices, and since the number of vertices is limited by n, the number 
of new-ending paths is bounded as well (as a function of n). To do that, we would like to show 
that every new-ending path P £ C has an nonnegligible number of distinct vertices, not appearing 
on any other path P' £ C. The main technical question is to identify a subpath of the new-ending 


28 








path that is guaranteed to be sufficiently long and disjoint from all others. Consider the following 
natural approach. For every P, G C, define its suffix as P/ = Pj[ci,u] where c, is D-divergence point 
of Pj. We then wonld like to claim that the P/’s are disjoint. To do that, one shonld prove (by 
contradiction) that if there exists a common vertex w € D Pj, for some Pi,Pj G C, then one of 
the two suffixes from w on, say Pl[w,v], could be replaced by the other suffix Pj[w,v], and hence 
a proper construction of the paths should have avoided the inclusion of the new edge LastE(Pj), 
leading to contradiction. For such an argumentation to hold, one shonld show that using Pl[w,v] 
instead of Pj[w,v] or vice-versa is safe, namely, that neither of these segments contains the failing 
edges of the other path, or more formally, F{Pi) H Pj = 0 and F{Pj) H P/ = 0 . Does this statement 
always hold? Consider the first failing edges of these paths, namely, Pi(Pj), Pi(Pj) G 7 r(s,u). Since 
P/ G Pi\bi, v] is edge disjoint with 7r(s, v), it holds that Fi{Pj) ^ P/ and analogonsly Pi (Pi) ^ Pj- So 
the main challenge is in showing that the second failing edge P2 {Pj ) does not occur on P/ and vice- 
versa. This, however, can be guaranteed only for the restricted case where P2(Pi), F2{Pj) G DiCiDj. 
Specifically, this holds as c, (resp., Cj) is the unique D-divergence point of Pi (resp., Pj) from the 
detonr Di (resp., Dj). Hence F2{Pj) ^ P/ and P2(Pi) ^ Pj. The conclusion is that the main 
obstacle for defining a unique set of vertices for each new-ending path boils down to the cases 
where P, contains the second failing edge F2{Pj) G Dj \ Di- This last observation motivates the 
definition of interference defined next. 


Interference and independence of replacement paths. For paths Pi,Pj G Pi;, we say that 
Pi interferes with Pj if F2{Pj) & Pi \ D{Pi). The paths Pi,Pj G Vv are independent if Pj does not 
interfere with Pj and vice-versa. Indeed, for independent pair of paths Pi and Pj, upon proper 
construction of the replacement paths, it can be shown that the segments P- and Pj are disjoint. 
This leads to the dehnition of the third path class, Vindep, consisting of all new-ending paths that 
do not interfere with any other new-ending path in Vy. By exploiting the fact that these paths do 
not intersect after they leave their detour, namely, P' and Pj are disjoint, we show that there are 
at most 0 {n^/^) independent paths. 

Finally, we consider the most involved case, which is that of interfering paths. The set of inter¬ 
fering paths is further classified into two subsets by distinguishing between two types of interference, 
namely, n-interference and D-interference. We proceed by giving some high level intuition for this 
classification. 

Let Pi be a new ending path interfering with another new-ending path Pj, i.e., F2{Pj) = {qi, Q'2) 
appears on Pi \ Di- On the fact of it, a natural short route from q2 to u in G may be given by 
Q = Dj[q2, Uj] o Tr{yj,v) (see the dashed green paths in Fig. [^b,c)). Note that since Q is a subpath 
of the replacement path Ps^v,{ej}, where Cj = Fi{Pj), it holds that Q G SP{q2,v,G \ {cj}). Since 
Pj is a subpath of Pi starting at a point that occurs on or after the 7r-divergence point bi of 7r(s, v) 
and Pi, it holds that Pj n 7 r{s,v) = {u}. Hence, the alternative q2 — v path Pl[q2,v] cannot be 
shorter than Q. By the fact that Alg. Cons2FTBFS defines Pi as a new-ending path, since the last 
edge of Q was already present in the constrncted structure at the time when Pi was constrncted, 
it holds that Q ^G \ F{Pi), i.e., the subpath Q, although optimal in its length, conld not be used 
as part of the replacement path Pi since it contains at least one of the two edges F{Pi) against 
whose failure Pj aims to protect. We now define two types of interference, depending on the two 
possible scenarios. If Q contains the first failing edge Pi(Pi), i.e.. Pi (Pi) G TT{yj,v), we say that 
Pi TT-interferes with Pj. This notation indicates that the reason for not using the existing ronte 
Q, when considering the failing pair F{Pi), is the fact that Q contains the first failing edge Pi(Pi), 
which by definition, is always in tt{s,v) (see the green dashed path in Fig. [^b)). Alternatively, 
the second optional scenario is that the q2 — v route Q is not used as part of Pi since it contains 


29 


the second failing edge F2{Pi), which by definition (as F{Pi) G Fy{D)) occurs on the detour D{Pi). 
Specifically, in such a case F2{Pi) G Dj[q2,yj] C Q. We then say that Pi D-interferes with Pj (see 
the green dashed path in Fig. [^c)). This notation indicates that the reason for not using the 
existing route Q, is the fact that it contains the second failing edge F2{Pi) occurring on the detour 
D{P^). 

Note that in general, these two types of interference are not exclusive and it might be the case 
that Pi both TT-interferes and D-interferes with Pj. 

For an interfering path P, let F{P) = {P' G Vy \ F2{P') ^ P\ D{P)} be the set of new-ending 
paths interfered by P. We now subdivide the set of interfering paths into two classes, namely, 
Xn- and Id, depending on the type of interference of P on I{P). If the path P vr-interferes with 
every P' G I{P), then let P G In- Otherwise, if there exists at least one path P' G I{P) such 
that P D-interferes but does not vr-interfere with P' , then let P G Id- The cardinality of these 
path classes is bounded using different tools, and each is shown to contain 0 (n^/^) paths. For a 
schematic illustration of the different notions of interference, see Fig. 




(a) Independence 


(b) n-Interference (c) D-Interference 


Figure 6: Schematic illustration of independence and interference. Shown are two paths Pi, Pj G Vy 
such that Fi{Pk) = ek,F2{Pk) = tk and Dk = D{Pk) for k G (a) The paths Pi and Pj are 

independent, since Piri{Dj \ Di) = 0 . (b) Pi is 7r-interfering to Pj since e, appears below yj = y{Dj) 
on 7r(s,u). The replacement path Pi traverses the failing edge tj G Dj. This path cannot proceed 
along the green dashed path since e* G TT{yj,v) (c) Pi D-interferes with Pj since ti G Dj after the 
edge tj, and hence this path cannot proceed along the green dashed path. 

Formally, we have the following new-ending path classification. 

(A) Pn = {Ps,v,F I F G X- 2 ( 7 r)}, 

(B) Pnodet = {P = Ps,v,F & Pv \ Fg Fy{D) and E{P) n E{D{P)) = 0 }, 
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(C) Vindep = {P = Ps,v,F ^ Vv \ F ^ Fv{D) and for every P' G P and P' are independet}, 

(D) Itt = {P € V \ P vr-interferes with every P' G X(P)}, 

(E) Xd = \ (Ptt U Vnodet U Vindep U X^). 

For schematic illustration see Fig. In our argumentation, we consider these classes in different 



Figure 7 : Schematic illustration of replacement-path classification. 

order. We first consider the class Vnodet and bound its cardinality using the kernel graph. We then 
use the analysis of this class to bound the cardinality of the collection of D-interfering paths Xq. 
Next, we consider the class of independent paths Vindep- The analysis of this class is completely 
different compared to the analysis of the previous two classes. Finally, we consider the class of tt- 
interfering paths, X^-, and show that they are “almost” independent, in the sense that interference 
of type TT induces only a limited amount of dependence between the replacement paths and hence 
the analysis for the independent case can goes through with relatively minor modifications. 

Before turning to bound the number of (vr, vr) and (vr, D) new ending paths, note that the number 
of last edges of replacement path Ps^v,{ei} for G 7 r(s,u) is bounded by 0 {y/n) as in [TO] . 

Observation 3.17 |Pi(7r)| = 0 {y/n) 

Proof: By the uniqueness of the 7r-divergence point, it is required to bound the number of replace¬ 
ment path Ps^v,{ei} whose last edge is not in Tq. For every such path P = Ps^v,{ei}j h holds that 
P[b{P),v] is edge disjoint with 7r(s,u), and therefore P[b{P),v] = SP{b{P),v,G\ E{tt{s,v)),W). 
Let Pi,...,Pt be such that each Pi = Ps^v,{e^} ends with a different new edge of v and or¬ 
dered in nondecreasing distance of dist(6(Pj), u). By the uniqueness of the weight assignment 
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W, it holds that P/ = Pi[b{Pi),v\ \ {u} are disjoint. Hence, |P/| > dist(6j,?;) — 1 > i — 2 , and 
I Wi\ — Overall, since there are n vertices in G, we get that t = 0{y/n) as 

required. | 


3.4 Bounding the number of new-ending paths of 

We hrst consider the new-ending (vr, 7r)-replacement paths protecting against failures on the 7r(s, v) 
paths. 


Lemma 3.18 \E2{tt)\ = 0 {y/n). 


Proof: By Obs. 3 . 17 , it is sufficient to bound the edge set P' = P2(7r)\(Pi(7r) U E{v, Tq)). For every 
edge e G E' , select one path Ps^v,{ei,ej} such that LastE(P, „ |g. g^.j) = e. Note that it then holds that 


Ps,v,{ei,ej} = SP{s,v,G\{ei,ej},W) (i.e., in such a case, P^, 


.} is not composed of the detours 


of Di and Dj). Let Pi,... ,Pt be the selected (7r,7r) replacement paths, each ends with a distinct 
edge from E'. Let bj be the last divergence point of Pj G Ptt and 7r(s,u). Let Pj = Pj[bj,v]. Note 
that by definition, LastE(Pj) ^ Tq and hence Pj is edge disjoint with 7r(s,v). We now claim that 
Pi and P'„ are vertex disjoint besides their common endpoint v. Assume, towards contradiction 

Pj^ n Pj2^ \ bs 3 ' common vertex in the intersection. By definition. 


Since LastE(Pjj) 7^ LastE(Pj2), there are two distinct w — v 
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otherwise, and let w G 

Pji ’ ^'32 ®bge disjoint with 7 r(s, Vj. kjnn-c i-.cio j f- i^do 

shortest paths in G \ vr, namely, Pj_^[w,v] and Pj^[w,v], contradiction by the uniqueness of the 
shortest paths. Order the paths of detours of P' = {Pi,..., P*} in increasing distance of bj and v. 
Then, |P/| > i hence, n > \ Ui=i -P/I = l-P/l > “ 2) = concluding that t = 0(^/n). 

I 


3.5 Bounding the number of paths that do not intersect their detours Vnodet 


In this section, we consider the set of paths and detours 

Pnodet = {P = Ps,v,F ^ Pv \ P G Pv{D) and P(P)nP(P(P)) = 0 } and Vnodet = {P>{P) I P e Pnodet}- 

and bound its cardinality. Our strategy is as follows. We first show that the first failing edge of 
every path P in this set is distinct. Then, Lemma 3.20 uses this property and the kernel subgraph 
P-iVnodet) of the detours of Vnodet to bound the cardinality of this set. 

Observation 3.19 Pi(Pi) / Pi(P2) for every Pi,P2 G Pnodet- 


Proof: Towards contradiction assume otherwise, that Pi(Pi) = Pi(P2) and hence also P(Pi) = 
D{P2). Without loss of generality, assume that Pi was constructed by Alg. Cons 2 FTBFS before P2. 
Since both are (tt, D) paths, we have that the second faults are on the same detour P2(Pi), P2(P2) G 
Pi (Pi). Since Pi,P2 G Pnodet 1 we have that P2(Pi), P2(P2) ^ Pi,P2- This implies that there are 
two shortest s — v paths in G \ (P(Pi) U P(P2)), namely Pi and P2. By the optimality of these 
paths |Pi| = IP2I, in contradiction to the selection of the last edge of P2 by Alg. Cons 2 FTBFS. | 

The next lemma bounds the number of paths in any collection of new-ending replacement paths 
P CPy satisfying that Pi (Pi) / Pi(P2) for every Pi, P2 G P. 
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Lemma 3.20 Every collection of new-ending replacement paths V satisfying that Fi(Pi) 7 ^ 

Fi{P 2) for every Pi,P2 G P, is of size \P\ = 

Proof: Let N = \V\. Order the paths of "P = {Pi,..., P/v} in increasing distance of s and Fi{Pj), 
i.e., dist(s, Pi(Pi)) < ... < dist(s, Pi(P/v)). Let = Pi (Pi) and M = [A^/2j. We now restrict 
attention to the set of first M paths Pm = {Pj \ 1 < i < M}- Note that for each path Pj G Pm-, the 
distance from v to the first failing edge Cj = Pi(Pj) is dist(ej, u, 7 r(s, i;)) > M. Let Di = D{Pi). We 
now construct the kernel subgraph K,{Vm) of the corresponding M detours Vm = (Pi, • ■ • ,Pm}- 
Recall that Di contributed only its prefix Di[xi,Wi] to the kernel subgraph K,{Vm)- 

From now on, let V'{IC{Pm)) refer to the vertices of the kernel graph V{JC{Pm)) excluding the 
vertices appearing on tt{s,v), i.e., V{K,{Vm)) = V{K,{Vm)) \ 

Let P\^ = {Pi G Pm \ Pi O V{K,{Vm)) = 0} be paths in Pm that have no common vertex with 
V'{IC{Vm)) and let P|^ = Pm \ Pm he the remaining paths. We begin by bounding the cardinality 
oiPl,. 

Observation 3.21 |P|^| = 0 {y/n). 


Proof: Let bi be the first divergence point of Pi from 7r{s,Vi). By Cl. 3 . 5 , bi is a unique divergence 
point and hence Pi[6i, u] and tt{s, v) are edge disjoint. Without loss of generality, assume that Pi was 
constructed by Alg. Cons2FTBFS before Pj. We now claim that P{ = Pi[6i, v\ and P) = Pj \bj , v\ are 


vertex disjoint, except for their common endpoint v, for every Pi, Pj G Pm- By Cl. 


3.14 


the second 

failing edges P2(Pi), P2(Pj) appears in the kernel subgraph }C{T>m) as D{Pi),D{Pj) G Vm- Since 
Pi,Pj do not intersect with V{IC(Vm)), it holds that P2(Pi), P2(Pj) ^ Pi,Pj- Assume, towards 
contradiction, that there exists a common vertex w ^ v in the intersection of P/ and Pj. It implies 
that there are two w — v paths in G \ (P(Pi) U F{Pj)), namely Pi[w, u] / Pj[w, v], contradiction to 
the selection of Pj by Alg. Cons 2 FTBFS, since its new edge could have been saved. 

Order the paths P{^ = {Pi,..., Pi} in decreasing distance of dist(s, bi), i.e., dist(s, 61 ) > ... > 
dist{s,bt). It holds that |Ft'| > \TT{bi,v)\ >i-l. Hence, | Ui=i ) \ {'^^11 = l^(-Pi) \ {'^11 ^ 

(t — 1)^. As there are n vertices in G, we get that t = 0{^/n). The claim follows. | 


So, it remains to bound the set P|^ of paths that intersect the vertex set V{IC{Vm))- For every 
path Pi G P|^, let Oi be the last common vertex of Pi and V'{1C{Vm)) on Pi, and define its suffix 
Pi = Pi[ai,v]. We now show that the Pj segments are disjoint, and using the structure of the kernel 
subgraph, we also show that the number of vertices in these subpaths is rapidly increasing with n. 


Claim 3.22 Pi n Pj = {uj. 


3.21 


Proof: The proof is similar to that of Obs. 
by definition they are vertex disjoint with V'{K, 


Since Pi and Pj are edge disjoint with 7r(s, v) and 
Vm)), by Lemma 3 . 14 [ it holds that F{Pi), F{Pj) 


are not in Pi and Pj. If there is a common vertex w G (Pj H Pj) \ {uj, then there are two distinct 
w — V paths in G \ (P(Pj) U F{Pj)), and we end with contradiction to the construction of these 
paths by Algorithm Cons2FTBFS. | 


We now classify the detours Di G Vm according to the length of the prefix Di[xi,Wi\ that 
was taken into the kernel. A detour Dj is expensive if \Dj\xj,Wj\\ > M/2, otherwise it is cheap. 
Next, the new-ending paths Pi of P|,^ are classified according to the first detour D{ai) in the (x, y)- 
ordering on which Oj (the last common vertex of Pj and V'{1C{Vm))) appears on its prefix, 
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i.e., D{ai) = Dj is the first detour in Vm satisfying that a* G Dj[xj,Wj]. Then Pi is expensive 
(resp., cheap) if D{ai) is expensive (resp., cheap). Let Vcheap = {Pi £ Pm I P{o-i) is cheap } and 
Pexpen = [Pi G Pm I Dio-i) is expensive }, where P]^ = Pcheap U Pexpen- To bound \Pm\, we 
separately bound \Pcheap\ and \Pexpen\- 

We first consider the cheap paths. 


Claim 3.23 \Pcheap\ = 0 {./n). 


Proof: 


Let Vcheap = \ {f}- By Cl. 3 . 22 , since Pi = Pi[ai,v\ are disjoint 


(except for the common endpoint v), hence \ Vcheap\ = “ !)■ We now focus on some 

Pi and show that \Pi\ > M/2. First note that Pi and Tr{s,v) are vertex disjoint (except for the 
common endpoint v), as a* occurs after the unique vr-divergence point of Pi from 7 r(s, v). Hence, 


\Pi\ > dist(ai, v,G\ 7r{s, v)) 


( 7 ) 


Let Dj = D{ai) G Vm be the detour protecting against the failing of the edge ej. Then, 

dist(a:j, u, G \ {cj}) > dist{xj,v,G) > dist(ej,u) > M , ( 8 ) 

where the penultimate inequality follows as Xj appears above the failing edge on 7 r(s, v) and last 
inequality follows by the fact that Dj G Vm- Since ai appears on a cheap detour Dj, we get that 

dist(xj, a,, G \ {cj}) < dist(xj, tCj, G \ {cj}) = \Dj[xj,Wj]\ < M/2 , ( 9 ) 

and hence by Eq. Q and Eq. 0 . we get that dist(ai, v,G\ {cj}) > M/2. 

Overall, by combining with Eq. Q, we get that \Pi\ > M/2. We therefore have that M/2 ■ 
\Pcheap\ < \Vcheap\ < n. It follows that \Pcheap\ < 2n/M. Since clearly, also \Pcheap\ < M, we have 
\Pcheap\ < min{M, 2 n/M} < \^^n. The claim follows. | 


Claim 3.24 \Pexpen\ = 0 {rP‘P). 


Proof: Let Vexpen = {Dj G Vm \ \Pj[xj,Wj]\ > M/2} be the collection of expensive detours, 
2; = \Vexpen\- We now classify the expensive paths of Pexpen into z classes where each path Pi is 
mapped to the class of the detour Dj G Vexpen on which ai appears. 

For every Dj G Vexpen, let Pj = {Pi G Pexpen I D{ai) = Dj}, and let Nj = \Vj\ be the 
cardinality of this set. 

We begin by bounding the number of vertices appearing in the expensive detours, let Vd = 
^Dj&Vexpen ) Lb the vertlcBS appearing on the expensive detours. By the construction 

of the kernel graph, the sets Dj[xj,Wj] are disjoint except for the point Wj (in cases where Dj is 
truncated). Hence, since every Dj G Vexpen is expensive, we get that 

\Vd\>z-{M- 1 )/ 2 . ( 10 ) 


We now proceed by bounding the number of vertices appearing on the expensive replacement paths, 
Vp = Up.e-Peipen \ Note that for every expensive path Pi, its segment Pi is vertex 

disjoint (expect for its endpoints a* and v) with the vertex set Vd since Vd T K,[Vm)- 


Fix some j G {!,..., z}, with Nj expensive paths Pj. We now claim that Vj = 


Pi 


contains V{N^) vertices. By Cl. 


3.22 


the Pi segments are disjoint. Order the paths of Pj in 


34 




increasing distance of a* from v. Since ai G Dj for every Pi G Vj and the Oj’s are distinct it 
holds that | 1 ^ | > {Nj — Pf {2 and summing over all j (as the Pi \ {n} are disjoint) and using the 
Cauchy-Schwarz inequality, we get that 


\Vp\>Y,{N,-lf/2. 

i=i 


Recall that the sets Vp and Vd are disjoint, and thus by Eq. ( 10 ) and 


n > |Vp U Vb| = \Vp\ + |Ed| > - 1 )V 2 + ^ • M/2 = . 

i=i 


( 11 ) 


We get M = 0 (n^/^), as required. | 

now follows by combining Obs. 


Lemma 


3.20 


3.21 


Cl. 


3.23 


and Cl. 


3.24 


By combining Lemma 3 . 19 | with Lemma 3 . 20 , we get the following. 

Corollary 3.25 \Vnodet\ = 


3.6 Bounding the number of D-interfering paths Xq 

In this section, we consider the set of D-interfering paths 

P-D =Pv\ {Ptt U Vnodet U Vindep U X^-). 


For every path P G Xq, recall that X(P) = {P’ G Vy \ F2{P') £ X’\X)(P)} is the set of paths to 
which P interferes. Since P G Xd, the set of interfered paths X(P) is non-empty. By the definition 
of Xd, a path P G Xd satisfies P ^ {Vnodet U X^), so we have the following. 

Observation 3.26 For every P G Xq.' ( 1 ) E{P) n E{D{P)) ^ 0 , 

( 2 ) there exists P' G X(P), such that P2(P') = (^1,^2) ^ P \ D{P) o-nd P2(P) G D'[qi,y'] n D{P) 
and Pi(P) ^ 7 r(y',n) where D' = D{P') and y' = y{D'). 


Let Vy = {D{P) I P G P^u} be the collection of detours corresponding to new-ending s — v 
paths Vy. Let Np = |Xd| be the number of the D-interfering paths and let A^d = \Vv\ be the total 
number of detours. The main challenge in this section is to show that Np = 0 (Wd) and hence 
Lemma 3.20 can be applied to bound from above the cardinality of Xq. We begin by stating a 
useful claim for the paths in Xq. 


Claim 3.27 For every P G Xd and for every P’ G X(P), D = D{P) and D' = D{P'), it holds that 
D and D' are dependent and not x-interleaved (i.e., x{D) / x{D')). 


Proof: Since the path P D-interferes with the path P', it holds that the failing edge P2(P) G Dr\D’, 
i.e., the detours D' and D' are dependent. In particular, the failing edge P2(P) appears on D' 
after the edge P2(P'). We now show that x ^ x' where x = x{D) and x' = x{D'). Towards 
contradiction, assume otherwise. Then since P2(P) = (91,92) is common with D and D', by 
Cl. 3.6 P[x,92] = D'[x,q2]- Since F2{P') occurs on D' before the edge P2(P), it holds that 
F2{P') G P[x, 92], contradiction to the fact that E2{P') G P\D. The claim follows. | 
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In view of Cl. 3.27, the interfering paths P of Xq are now subdivided into two subsets depending 


on the relation between their detour D[P) and detour D[P') of the interfered paths P' G X(P). 
Let Xq be the set of interfering paths P that interfere with a least one path P' whose detour 
D{P') and D{P) are y-interleaved (i.e., ends at the same y-point), i.e., X^ = {P G Xq | G 
X(P) such that y{D{P')) = y{D{P))}. Let Xp = Xd \Xp be the complementary set of D interfering 
paths. To bound the cardinality of Xq as a function of the total number of detours, we bound 
separately X^ and Xp. We begin with bounding X^. 


Bounding the number of paths in X^. For every P, let I{P) be some path P' interfered by P 
whose detour is y-interleaved with D{P), i.e., P' G X(P) and y{D{P')) = y{D{P)). Since P G Xp, 
such I{P) is guaranteed to exist. 

Our strategy now is to classify the paths P of Xp according to the y-value of their detour D{P) 
and consider each class separately. 

For every vertex y' G 7 r(s, v), let V{y') be the set of detours in whose y-value is y', i.e., X’(y') = 
{D{P) I P G P. and y(P(P)) = y'}. 

Let V{y') be the set new-ending paths in Xp whose detours are in V{y'), i.e., V{y') = {P G 
Xi I D{P) G V{y')}. 

We now fix some y' G Tr{s,v) and bound the number of paths Np[y') = \P{y')\ by the number 
of y-interleaved detours N^{y') = |P(y')|. Our goal is to show that for every y' G 7 r(s, v), Np{y') = 
0{N^{y')). To show this, we consider y' G 7 r(s,u) and construct the kernel graph /C(P(y')) on 
the subset of y-interleaved detours V{y') = {Pi, • •., D(}. Note that whereas in general K.{V) is a 
subgraph of the graph G{'D) obtained by the union of the detours in X>, in this specific case ,where 
all the detours are y-interleaved (end in the same vertex), the kernel graph coincides with the whole 
graph, i.e., JC{V) = G{V). This is proven formally in Obs. 3.31 Let Xi = {xi \ Di G Piy')} and 
Wi = {wi I Di G P(yO} denote the endpoints of the detour fragments taken into the kernel graph 
K.{V{y')). We begin by claiming that for every two y-interleaved detours Pi, P2 £ P(yO) their first 
common intersection point First (Pi, P2) is in the endpoint set Wi. (This means that the number 
of first common intersection points among detour pairs in D{y') is only 0{Pj rather than 
Recall that by Cl. 3.11[ since Pi and P2 are y-interleaved, it holds that the first common vertex 
is the same, i.e., First(Pi,P2) = First(P2, Pi). 


Claim 3.28 For every Pi,P 2 G V{y'), First(Pi,P 2 ) G Wi. 


Proof: Let T>{y') = {Di,... ,Di} be ordered by (x, y)-ordering P(y'), corresponding to their 
addition into the kernel subgraph /C(P(y')). We prove by induction on i G that 

First(Pj, Dj) G Wi for every j <i — 1 . The base of the induction i = 1 holds vacuously. Assume 
the claim holds up to i — 1 and consider i. There are two cases. Case (1): Pj is a non-truncated 
detour (i.e., Pj nPj = jy'} for every y < i — 1). In this case the claim holds vacuously again. Case 
(2): Pj is truncated. Let Dj/ = 'l'(Pj) be the breaker detour of Di for some j' < i — 1. In other 
words, Dj/ is the detour satisfying that Wi = First(Pj, P^/). By definition of the kernel graph, 
the vertex Wi = First(Pj,Py/) is included in the endpoint set Wi. Note that for every other P^, 
for k < i — 1 , the first common vertex First(Pj,Pfc) appears on Di not before First (Pj, Pj/). 
Since Pj and Pj/ are y-interleaved, by Cl. 3.6 Pj[rcj,y'] = Dji[wi,y']. The remaining detours P^ 


for k < i — 1 can now be divided into two types. The first type consists of detours P^ whose first 
common vertex with Pj/, namely, qk = First(Pfc, Pj/) appears on the detour Pj/ not after tCj. In 


this case, since P^ and Pj/ are y-interleaved, by Cl. 3.6 we get again that Dk[qi^,y'] = Pj/[gfc,y'], 


and hence the first common vertex of these detours with Di is exactly rcj, which was added, that 
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is First(Z)j, Dfc) = First{Di, Dj/) G Wi- The second type consists of detours D^, for k < i — 1 , 
whose first common vertex with Dj/, namely, = First (Z?/;, Dji), appears on Dj^ after Wi. In such 
a case, since Di and Dj/ are y-interleaved, by Cl. 3.6 we get that Di[wi,y'] = Dj/[wi,y']. Therefore, 
the first common vertex of these detours with Di is exactly the same as their first common vertex 
with Dj/, i.e., First(iZfc, Dj) = First(Dfc, Dj/). By the induction assumption for j' < i — 1, it 
holds that First(Dfc,Dj) G Wi. The claim holds. | 


Regions. Observe that in lC(D{y')), the vertices of Wi have degree at least 3, those of Xi have 
degree 1, and all other vertices have degree 2. Hence, IC{'D{y')) can be decomposed into a collection 
of maximal paths that are fragments of detours referred to hereafter as regions. A subpath R C 
K,{V{y')) is a region if is satisfies the following two properties: (1) the endpoints of the subpath R 
are in Wi, i.e, i? is a ui — U2 path in the kernel graph, for some ui,U2 G AiUkVi and (2) R contains 
no other points in Xi U Wi, i.e., R H {Xi U Wi) = {^1,^2}. See Fig. |^a) for an illustration. 

Let R-iy') be the collection of regions in IC{'D{y')). Note that the union of regions in TZ{y') 
covers the kernel graph JC(V{y')), i.e., JC(V{y')) = {R G TZ{y')}. Let Nii{y') = \Tl{y')\. We now 
bound Nji{y') by the number of detours N£){y'). 

Claim 3.29 (1) Nji{y') < 2-No{y') regions. (2) For every region R G TZ{y'), there exists a detour 
Di G D{y') that contains it (i.e., DC Di). 


Proof: The two claim are shown by induction on the iterative process that constructs the kernel 
graph ICy{V(y')), analyzing the regions induced at each step. Let Vr = {Di,... ,Dt-} C D(y') and 
Nr{y') be the number of regions induced up to step r in Ky = Dj[xj, tCj]. For the induction 
base consider Di. The detour Di is non-truncated and hence the graph K,y = Di consists of a 
single region and Ni[y') = 1, so (1) holds. In addition, the single region is Di and hence (2) holds 
as well. 

Now assume that the two claims holds up to step r — 1, and consider step r when the detour 
Dy is added to the kernel. If the current detour Dy is non-truncated, then only one new region is 
added, namely, Dy, so Nr{y') = W-i(yO + 1 < 2 t — I by the induction assumption, so (1) holds. 
In addition, since the new region is exactly Dy, part (2) holds as well. Else, if Dy is a truncated 
detour, let R' be the region in the current kernel graph that contains the vertex Wy (i.e., the 
first common vertex of Dy and the current kernel graph ICy~^). As Wy joins the set Wi, this region 
R' is bisected into two regions, namely, before and after the vertex Wy, and there is an additional 
new region corresponding to the fragment Dy[xy,Wy]. By the induction assumption, part (2) holds 
for the region R' and hence it also holds for its two new fragments. The new region Dy[xy,Wy] 
clearly satisfies part (2) as well. Note that the remaining regions R" R' in are unaffected 

by the addition of the detour Dy. Overall, after this step Ny = W-i + 2 so (1) holds. The claim 
follows. I 

The following claim shows a useful property of a regions. 


Claim 3.30 If D' n R ^ then R Q D'. 


Proof: Let R = Di[wi,W2] for some D^ G D{y') and wi,W2 G Wi. (By Cl. 3.291 (2) and by 


the definition of a region this is well defined.) Assume, towards contradiction, that there exists 
a detour Di G D{y') intersecting with R but not containing it. Let p G Di n D be the first 
common vertex of Di in the region R. Since the detours Di and Di are y-interleaved, by Cl. 3.6 
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I^elp^y'] = Di[p,y'] and hence R\p,'W2] ^ Di. So by the contradictory assumption, there exists 
some vertex p2 € \ Di. Let = First(Di, be the first common vertex of Di and 

D£. By Cl. 3 . 28 [ w' G Wi- Hence, there are two cases to consider. If the wi endpoint of R, is w', 
the claim follows by Cl. 3 . 6 , since Di[wi,pi] = D£[wi,pi]. 

Otherwise, consider the case where tci / w'. By the definition of the region R, w' ^ R[wi,pi]. 
Since w' appears on Di not after the common vertex pi, it holds that it must appear before wi. 
The claim follows by Cl. 


3.6 


again. 


I 


Observation 3.31 JC{'D{y')) = G{V{y')). 


Proof: Assume towards contradiction otherwise and let Dt be the first detour in the ordering for 
which Dt ^ K.{V{y')). Clearly, t > 1 . Let Dt' for t' < t he the first detour that Dt intersected 


with when added to K,{V{y')). Hence, Dt[xt.,wt] C K,{V{y')). Since wt,y' G Hi H Dt/, by Cl. 3.6 
Dt[wt,y'] = Dti[wt,y']. Since Dt' C K,{V{y')), we end with contradiction the claim holds. | 

For every replacement path Pi G V{y'), let Cj G D{Pi) be the unique D-divergence point of Pi 
and Di = D{Pi). Recall that since Pi ^ Pnodeti such Cj exists. Let V^{y') = {Pi G V{y') \ Ci G 
Ai U Wi} be those paths Pi whose divergence points Ci is an endpoint vertex in the Xi U Wi and 
let V‘^{y') = P{y') \ P^iy') be the remaining paths, whose divergence point from their detour is 
strictly inside a region. 

We first bound the number of paths in V^{y'). Since \Xi U Wil < 2 \ND{y')\, by the distinctness 
of the D-divergence points established in Lemma | 3. 16 we have the following. 


Observation 3.32 \P^{y')\ < 2|A^d(?/')|. 

It remains to consider the replacement paths in V‘^{y'). The goal of constructing the kernel graph 
JC{D{y')) and its decomposition into regions, is the following key lemma. 

Lemma 3.33 In any region R G IZ{y'), there exists at most one D-divergence point Ci for a unique 

Pi^V^{y'). 

Proof: Assume, towards contradiction, that there is a region R with two distinct divergence points 
Cl / C2 for two (vr, D)-paths Pi G SP{s,v,G \ {ei,ti}), i G { 1 , 2 }. Let Di = D{Pi) for i G { 1 , 2 }. 
Note that it might be the case that Di = H2. By Cl. 3.30 we get that R C Di,D2. Since 


Pi ^ Pnodet, R holds Cj G Hj for z G { 1 , 2 }. Without loss of generality, assume that ci appears on 
Hi (and H2) before C2. Then by Cl. 3 . 15 } 3 . 1 ), it holds that P2[s,C2] = 7 r(s,X 2 ) o H2[x2,C2] and 
since ci G H2 [x2 , C2] we have that ci G P2 • 

Let i-3 = /(Hi) be the path to which Hi interferes and let H3 = D{P^). By the selection 
of the interfered path /(Hi), the detours H3 and Hi are y-interleaved (^3 = yi = y'). Hence 
Hi,H2,H3 G P{y')- Let t3 = (^1,52) = F2{Pz) and by Obs. 3 . 26 ' 2 ), F2{Pi) appears on H3 strictly 


after ^3, i.e., H2 (Hi) G D^[qi,y^]. We now distinguish between two cases depending on the location 
of second failing edge ti = H2(Hi) of Hi. 


Case ( 1 ): the edge ti ^ Hi[ci,C2]. Since ci,y' G Hi,H2, by Cl. 3 . 6 , Hi[ci,y'] = H2[ci,y']. 
Since H2(Hi), H2(H2) G H2[c2,y'] and ci,C2 are the unique divergence points of Hi and P2 from 
their detours Hi and H2 respectively, we get that there are two distinct ci — v shortest paths in 
G \ (H(Hi) UH(H2)), namely, Hi[ci, n] and H2[ci, n]. By the optimality of Hi and H2, these subpaths 
are of the same length. Hence assuming, without loss of generality, that Hi was constructed before 
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P2 by Alg. Cons2FTBFS, we end with contradiction to the selection of P2 (i-e., the last new edge 
of P2 could have been avoided). 


Case ( 2 ): ti G Di[ci,C2]- Since Pi interferes with /(Pi) = P3, it follows that y{D^) = y' and the 
edge ts = P2(P3) ^ Di appears on the suffix Pi[ci, v]. See Fig. [8)(b) for an illustration. Recall that 


H = (o'!) 92) where qi appears on P3 before q2- By Obs. 3.26 the failing edge ti appears in P3 


after First note that since Di and P3 are y-interleaved, it holds that xi 7^ X3 (as otherwise, 
Di = P3). In addition, since P3 has a non-empty intersection with the region P as p G PnP3, by 
Cl. 3 . 30 , we have that R C P3. Let w = First(Pi,P3) be the first common vertex of the detours 


Di and P3. By Cl. 3 . 28 , w G Wi. As ci is an internal point in the region R, it does not belong to 
Wi, so re 7^ Cl, and moreover w appears on P3 and Di strictly before the detour divergence point 

Cl. 


Note that P2(Pi) ^ P3[t3,ci] since P2(Pi) occurs on Di^D^, only after ci. Hence by the 
optimality of the replacement path Pg^v^ies} (where 63 = Fi^P^)), we have that P3[q2,ci] = 
D3[q2,w] o D3 [w, Cl], and therefore 


dist(g2,'«^,G'\ (P(Pi) U {cs})) < dist(g'2,ci,G\ (P(Pi) U {cs})) . ( 12 ) 


On the other hand, since Pi[6i,u] is edge disjoint with tt{s,v) where bi is the unique vr-divergence 
point of Pi from tt(s,v), by the optimality of Pi, we have the following w — q2 shortest path in 
G \ {F{P) U {cs}), namely, Pi[w, ci] o P[ci, g'2], since w 7^ ci, we have that 


dist(g2, 'w,G\ (P(Pi) U {cs})) > dist(g'2, ci, G \ (P(Pi) U {cs})) 


which contradicts Eq. ( 12 ). Note that, indeed, by the structure of the new-ending path Pi ^ Vnodet, 
it visits an edge P2(P3) which is not on its detour, only after leaving its detour. The claim follows. 

I 


Since every region contains exactly one D-divergence point, by the distinctness of these points (see 
Lemma 3 . 16 ), and by Lemma 3 . 29 , we have the following. 

Corollary 3.34 For every y' G 7r(s,u), Np{y') = 0 {N{i{y')). 


By Obs. 3.32 and Cor. 3.34 we now have: 

Corollary 3.35 |Xq| = 0(|P,i;|). 

Proof: By de finition, the sets V{yi),V{y2) are disjoint and thus P{yi),V{y2) are disjoint as well. 

we have that |X^| = Np{y') < c-Ey'e7r(s,,;) ^oiy') = c-\V^\. The corollary 


By Cor. 
holds. 


3.34 

1 “ 


Bounding the number of paths in X^. We begin by defining for every path P G X^, a special 
interfered path /(P) G X(P) such that Di = D{P) and D2 = D{I{P)) are fw-interleaved and 
moreover, x{Di) < x{D2). The next observation justifies the existence of such a path. 

Observation 3.36 For every P G Xq, there exists /(P) G X(P) satisfying that Di = D{P) and 
D2 = D{I{P)) are fw-interleaved such that x{Di) < x{D2). 

Proof: Consider some path P G X^. For ease of notation, for every (vr, D) new-ending path P', 
let x{P') = x{D{P')) and y(P') = y{D{P')). We first show that there exists P' G X(P) such 
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Figure 8: (a) Illustration of the kernel graph the segment Di[wi^W4\ is a region in 

TZ{y'). (b) Illustration for Lemma 3.33 Shown is a region R = Di[w2,y'] with two D-divergence 
points Cl and C2 such that ^2(^1) = ti is in between them. Since Pi D-interferes with P3, it visits 
F2{P3) = ts after departing from its detour at the point ci. Using the route from W3 to ^2 provided 
by D3 is strictly better. 
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that y{P) < y{P')- Assume towards contradiction that for every P' G P{P), y{P) > y{P')- Since 
D{P) and D{P') are dependent (see Cl. 3 . 27 ), by Cl. 3 . 10 K b), Fi{P) G TT{y{P'),y{P)), hence 
P vr-interferes with every P' G P{P), leading to contradiction by the fact that P G Xd (i.e., in 
such a case, P G X^-)- Hence, there exists P', for which y{P) < y{P')- Since P ^ X^, necessarily 
y{P) / y{P'), concluding that y{P) < y{P')- 

We now show that also x{P) < x{P'). By Cl. 3 . 27 | we have that x{P) / x{P'). So it remains 
to disqualify the possibility that x{P) > x{P'). Indeed if x{P) > x{P'), then combining with the 
fact that y{P) < y{P'), we get that D{P) is nested in D{P') and since the detours are dependent, 
we end with contradiction by Cl. | 3 . 9 [ 


So far, we have that x{P) < x{P') < y{P) < y{P')- Note that since F2{P) £ P{P) C D{P') 


Hence, by Cl 

I 


and x{P) < x{P'), by Cor. 3 . 13 , D[P) and D{P') are neither (x, y)-interleaved nor rev-interleaved. 

X^a) 


it must hold that D{P) and D{P') are fw-interleaved. The claim follows. 


Let V2 = {D{P) I P G Xp} be the set of detours corresponding to the paths in Xp. For 
every detour P G X>2) dehne the set of detours X[D) as the collection of detours D{P') such that 
P' = I{P) for some path P G X^ whose detour D{P) is D, i.e., 

X(P) = {P(P') I there exists P G Xg such that D{P) = D, I{P) = P'}. 


By Obs. 3 . 36 t we have the following. 


Observation 3.37 For every P G P2 CLnd every D' G X(P), it holds that D' and D are dependent 
and fw-interleaved such that x{D) < x{D') < y{D) < y{D'). 


To bound the number of paths in Xq, we define a prefix D[x{D),w{D)] for every detour D £ V2 
and show that every such prefix contains at most one D-divergence point of some path in X^. In 
this sense, the prefix is the analogue of the region, used in the analysis of the paths in Xq. 


For every detour P G P2, define the unique point w{D) G P in the following manner. Let 
IF(P) be the collection of first common vertices of the detours P and D' G X(P), i.e., IF(P) = 
{First(P, D') 
hence by Cl. 


D' G X(P)}. Note that by Obs. 3 . 37 , P and D' are dependent and fw-interleaved, 
3 . 1 l| First(P,P') = First(P',P). Then, let w{D) G W{D) be the point whose 


distance from x{D) on P is minimal. In other words, w{D) is the earliest first common vertex of 
the detour P with any of the detours in X(P). See Fig. [^a) for a schematic illustration. Our next 
goal is to show that every D-divergence point c(P) must occur on the prefix 'L(P) = P[x(P), w{D)] 
and in addition, for each P G P2) there exists at most one path P G Xq whose divergence point 
c(P) is in 'I'(P). This implies the stronger conclusion that P(P) 7^ D{P') for every P, P' G Xq and 
hence IP2I = |Xq. 


The next lemma is crucial for analyzing the set X? 


D- 


Lemma 3.38 Let Pi,P2 G Xq he such that P(Pi) = P(P2) = Do- Let Ii = I{Pi) and I2 = 
/(P2),Pi = P(/i),P2 = D{l2). Hence Pi,P2 G X(P). //First(Po, Pi) / First(Po, P2), then 
Po n Pi n P2 = 0 . 


Proof: Let Xi = x{Di) and yi = y{Di) for i G { 0 , 1 , 2 }, wi = First(Po, Pi), tC2 = First(Po,P2) 
and assume without loss of generality that wi appears on Pq strictly before W2- Note that by Obs. 


3 . 37 , Pq is fw-interleaved with both Pi and P2. Hence, First(Po,Pi) = First(Pi,Po) and also 


First(Po, P2) = First(P2, Pq)- Assume towards contradiction that there exists a common vertex 
f G Pq n Pi n P2. We check two cases. 
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Case (a): xi = X2- By Cl. | 3 . 6 [ Di[xi,£] = D2[x2,i]- By definition, the common vertex i appears 
not before rci on Di, hence wi £ Di[xi,£] = D2[x2,i], contradicting the fact that W2 is the first 
common vertex of Dq and D2. 

Case (b) xi ^ X2- In this case, we show that the detours Di and D2 are independent, i.e., Dir\D2 = 
0 , which implies the claim. See Fig. ib) for an illustration. Assume towards contradiction 


that Z?! n L>2 7^ 0- Assume first that xi < X2- By Obs. | 3 . 37 [ Dq and Di are dependent and 
2/0 < yi- Hence, by Cl. | 3 . 10 [ b), Fi{Ii) G 7r(2/o,2/i)- On the other hand, since by the contradictory 
assumption Di and D2 are dependent, by Cl. 3 . 10 [ a), Fi{Ii) G 7r(xi,X2). Overall, we have that 
Fi(/i) G 7r(xi, X2) n vr(2/o, 2/i)- Finally, by Obs. 3 . 37 [ Dq and D2 are interleaved such that X2 < yo, 
leading to contradiction as 7r(xi,X2) n 7r(2/o,2/i) = 0- The case where xi > X2 is analogous. The 
claim follows. | 


r2 . 


Lemma 3.39 For every Pq G Xq. 

( 1 ) the unique D-divergence point c = c{Po) with Dq = D{Pq) is in Do[xo, r(;(ZIo)] where xq = x{Dq) 
and ( 2 ) F2{Pq) G X)o[^^^(X>o), y(X>o)] ■ 


Proof: Begin with ( 1 ) and assume towards contradiction otherwise. Consider Pq G Xq such that 
D{Po) = Dq and c ^ Do[xo,w{Do)], let Pi = I{Po), Di = D{Pi). 

We first claim that w{Dq) G Pq. To see this observe that since Pq ^ Vnodet, by Cl. 3 . 15 [ 3 . 1 ), 
Pol'S, c] = 7 r(s,xo) o Dq[xq,c]. Since (by the contradictory assumption) c appears on Dq strictly 
after w{Dq), it holds that w{Dq) G Do[xq,c] and hence w{Dq) G Pq. We next distinguish between 
two cases depending on the value of First(Po, X^i). 

Case ( 1 ): w{Dq) = First(Po, Pi)- In this case, First(Po,Pi) is selected as the vertex w{Dq) 
that defines the prefix Dq[xq,w{Dq)]. By Obs. 3 . 26 , P2(Po) G Pq n Pi, and hence P2(Po) appears 


on Di after the first common vertex w{Dq). In addition, P2(Pi) appears on Di before P2(Po) and 
since P2(Pi) G Pi \Po (by the definition of interference), it holds that P2(Pi) appears on Di before 
the common vertex w{Dq). 

Let P2(Po) = iqi,q2)- We then have that w{DQ),q2 G Po n Pi and hence by Cl. 3.6 
Do[w{DQ),q2] = Di[w{Do), q2]. Since c appears on Dq after w{Dq) but before the failing edge 
F2{Po), we get that c G Po[rc(Po), ^2] = Pi[in(Po), 52]- Let P2(Pi) = (01,02). We now con¬ 
sider the path Q = Di[ai,w{DQ)] o Di[w{Dq),c]. We claim that Q is an oi — c shortest-path 
in G \ (P(Po) U {Pi(Pi)}), since ( 1 ) clearly, Pi[oi,c] G SP{s,v,G \ {Fi{Pi)}) and ( 2 ) P2(Po) 
occurs on Di only after the D-divergence point c, so P2(Po) ^ Pi[ai,c], and hence Pi[oi,c] G 
SP(s,i;,G\P(Po)). 

Since the path Pi[oi,c] visits w{Dq), we have that 


dist(oi, u;(Po), G \ (P(Po) U {Pi(Pi)})) < dist(oi, c, G \ (P(Po) U {Pi(Pi)})) 


( 13 ) 


We now use the path Pq to present a w{Dq) — oi path in G\ (P(Po) U {Pi(Pi)}) that goes through 
c. Recall that w{Dq) G Pq. Note that by Cl. 3.15[ 3.1), since the interfered edge P2(Pi) is not 
on P(Po) (by the definition of interference), it holds that Pq visits this edge only after leaving 
its detour Dq, i.e., after visiting the D-divergence point c. Hence, the route in Pq from w{Dq) 
to oi is given by Po[ii'(Po), c] o Po[c, oi]. Note that since c appears on Pq after the vr-divergence 
point Z(Po), indeed the subpath Po[u;(Po),ai] does not contain the edge Pi(Pi), implying that 
|Po[t(;(Po), ai]| = dist(tc(Po), oi, G \ (P(Po) U {Pi(Pi)})). Since Po[rc(Po), oi] visits c, we have 
that 

dist(ai,u;(Po),G\(P(Po)U{Pi(Pi)})) >dist(ai,c,G\(P(Po)U{Pi(Pi)})) , (14) 
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contradiction by Eq. (13). See Fig. [^c) for an illustration. 


Case ( 2 ): w{Dq) ^ First(Zi>o>Let D* G '^{Dq) be the detour satisfying that w{Dq) = 
First (Ho, L)*), i.e., its hrst common vertex with Dq appears earlier than all other detours D' G 
X(H). Hence, there exists a path P G Xq such that D{P) = Dq and D{I) = D* where I = I{P)- 


Consider now the w{Dq) — v path Q = D*[w{DQ),y{D*)] o 7r{y{D*),v) 


We have that Q G 
3^ y{D*) > y{Do) 


SP{w{Dq),v,G \ {Pi(/)}). We now show that Pi(Po), P 2 (Po) ^ Q- By Obs. 
and hence Pi(Po) ^ TT{y{D*),v). Clearly, also Pi(Po) ^ D*, hence Pi(Po) ^ Q. In addition, since 
First(Ho, D*) / First(X)o, L>i) and P 2 (Po) G Hq C Hi, by Cl. 3.38, Hq C Hi n H* = 0, and hence 
L 2 (Xb) ^ D*. Clearly, P 2 (Po) ^ 7r(s,u), hence P 2 (Po) ^ Q- Overall, we have that Q is a w{Dq) — v 
shortest-path in G' = G \ fp(Po) U {Pi(L 


We now use Pq to present an alternative w{Dq) — v shortest-path in G', namely, Po[w{Dq),v]. 
Since Pq visits w{Dq) only after leaving the shortest-path 7r(s, v), it holds that Pi(/) ^ Po[w{Dq),v], 
hence Po[w{Dq),v] G SP{w{Dq),v, G') as well. By the optimality of Po[rc(Ho), v] and Q, we get that 
there are of the same lengths, leading to contradiction in the selection of Pq by Alg. Cons2FTBFS 
(i.e., the path Po[s, rc] o Q is optimal in length and it is not new-ending, so the new-edge of Pq could 
have been avoided). 


Now, consider part (2). Since P2(Po) G Hq n Hi, it holds that P2(Po) occurs on Dq after 
First(Ho, Hi). Since w{Dq) is the earliest intersection point with some D' G X(Ho), the claim 
holds. I 


Lemma 3.40 


12:^1 = m 


Proof: We show that D{P) 7^ D[P') for every P, P' E Assume towards contradiction that 
there exists at least two paths P, P' G Xq such that H(P) = D{P') = D. Since P, P' ^ Pnodeti their 
unique D-divergence points c = c(P) and d = c(P') respectively, appear on the common detour 
H. In particular, by Lemma 3.39, it holds that c, c' G D\x,w{D)\. By the distinctness of the D 


divergence points of Lemma 3.16 c 7^ d, so without loss of generality, assume that c occurs on H 
before d. We now show that the failing edges F{P) and F{P') do not occur on both of the paths 
P and P' . First, note that since P, P' ^ Pnodet-, their vr-divergence point is 6 (P) = b{P') = x{D), 
and thus Pi(P),Pi(P') ^ P, P'. We now show that also P2(P),P2(P') ^ P, P'. By Lemma 
3.39, F2{P), F2{P') ^ D[x,w{D)] hence it also holds that F2{P),F2{P') ^ H[c, c']. Finally, since 


P2(P),P2(P') ^ H[c, c'] and P[c, u] and P[c',u] are disjoint with the detour H, the claim holds. 
So, we have two distinct c — v paths in G \ (P(P) U P(P')), namely, P[c, u] and P'[c, u], leading to 
contradiction to the selection of the latter paths by Algorithm Cons2FTBFS. The claim holds. | 


Corollary 3.41 ( 1 ) Np = O(A^d) cind ( 2 ) Np = 0(n^/^). 


Proof: Part (1) follows immediately by Obs. 3.32 and Lemma 3.34 To prove part (2), select a 


subset V of A'^d new-ending paths, such that for every pair of paths P, P' G P', H(P) 7^ H(P') 
and hence also Pi(P) 7 ^ Fi[P'). That is for every detour H G Dy we take one path representor 
P G P„ satisfying tha t D(P ) = D. Note that V' is not necessarily related to the set of interfering 


paths Xq. By Lemma 


3.20 


Np = 0 {rd/^). Part (2) follows. | 


it holds that \V'\ = A^d = 0(re^/^), hence combining with by part (1), 
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(a) (b) (c) 


Figure 9 : (a) The detours Di,D2 G I{Dq). The prefix Dq[xo,w{Dq)] is determined by the ear¬ 
liest first common vertex with the detours of X[Dq). In this case, w{Do) = First(D q jsince 
First(T)o, T)2) appears on Dq strictly after it. (b) Illustration for Lemma 3 . 38 , The detours Dq 


and Di are interleaving and also Dq and D2 are interleaving. The assumption that Di and D2 
are dependent, implies contradicting positions for the location of ei. Since yo < yi and Dq and 
Di are dependent, we have that ei G 7 r(y0)?/i)- On the other hand, xi < X2 and Di and D2 are 
dependent, we have that ei G tt{xi,X2), leading to contradiction since yo > X2- (c) Illustration for 
Lemma 3.39 Shown is a replacement path P = Ps,v,{eo,to} where to G Dq and hence D{P) = Dq. 
The path P D-interferes with a path P' = Ps,v,{e-i_,tp^ hence P visits the edge G P \ Dq after 
diverging from its detour at the point c. Since c ^ Dq[xq., 'w{Dq)], a strictly better route from w to 
ti exists using the subpath provided by the detour Di. 
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3.7 Bounding the number of independent paths Vindep 
Let Vindep denote the set of indpendent new-ending paths where 


Vindep = {P £ Vv I there exists no P' G Vy such that F2{P') ^ P \ DiP)} 

and let Nindep = \Vindep\ denote their number. In this subsection, we bound Nindep by 0 {'n?P). 
Recall that for every (vr, D) new-ending path Pi ^ Vnodet, h is its vr-divergence point and c* is its 
□-divergence point and by Cl. 3 . 15 [ these divergence points are unique (i.e., Pi does not return to 
Tr{s, v) after bi, and does not return to D{Pi) after Cj). We begin by showing that the suffix of every 
independent path Pi starting from its D-divergence point c, (i.e., P/ = Pi[ci,v] \ {u}) is disjoint 
from the suffix Pj of any other Pj G Vindep- 


Observation 3.42 For every two paths Pi, Pj G Vindep, Pi = Pi[ci, v] \ {u} and Pj = Pj[cj,v] \ {u} 
are vertex disjoint. 


Proof: Without loss of generality, assume the Pi was constructed by Alg. Cons2FTBFS before Pj. 
Since P^ C Pk[bk,v] for k G {i,j}, by the uniqueness of the vr-divergence point it holds that P^ is 
edge disjoint with 7r(s,u) for . Hence, Pi (Pi) ^ Pj and Fi{Pj) ^ Pj. We now consider the second 
faults. By the definition of Vindep, h holds that F2{Pj) ^ Pi \ D{Pi). Hence, by the uniqueness of 
the D-divergence points c* and Cj, it holds that also P2(Pj') ^ P/ and similarly P2(Pi) ^ Pj. 

Assume, towards contradiction, that there exists a common vertex w ^ v in the intersection 
of the suffixes P/ and Pj. By the above, we get that there are two distinct w — v paths in G \ 
{F {Pi) U F (Pj)) , namely, Pl[w,v] ^ P'j[w,v], leading to contradiction by the selection of Pj by 
Algorithm Cons2FTBFS (i.e., the last edge of Pj could have been avoided). | 


Claim 3.43 For every two independent paths Pi,P 2 G Vindep with Di = D{Pi),i G {1,2}, and 
y2> Hi, ifh = 62 then ci G D2 where y2 > yi- 


Proof: Let w = Last(Pi,P2) be the last common vertex of Pi and P2 (since Pi and P2 are x- 


interleaved, such u) exists). Hence, by Cl. 3 . 6 , Pi[xi, tc] = D2[x2,w]. Assume towards contradiction 
that Cl G Di[w, yi]. Since Pi ^ Vnodet, by Cl. 3 . 15 | ( 3 . 1 ), it holds that Pi[s, ci] = 7r(s, xi)oDi[xi, ci], 
concluding that P2(Pi) must fall in the Pi-excluded region Di[w,yi], leading to contradiction by 
Cl. 


3.12 


The claim follows. | 


Equipped with Cl. 3 . 43 , we now induce a (6, c)-ordering on the independent paths Vindep, 


which can be viewed as based on treating hi and Cj lexicographically. Recall that for two vertices 
ui,U2 G 7r(s,u), we denote ui < U2 if dist(s, ui, 7r(s, u)) < dist(s, U2,7r(s, u)). For bi / bj, we say 
that {bi,Ci) < {bj,Cj) if hi < bj. For bi = bj, we use the second coordinate Cj to break the tie. 
Let Pfc G {P(Pj), P(Pj)} be the detour with the lower y-value among the two (i.e., closer to v on 
7 r{s,v)). Note that by Cl. | 3.43 both Ci,Cj G Pfc. In addition, by Lemma 3 . 16 , c* Cj. This allows 


us to define, in this case, that {bi,Ci) < {bi,Cj) iff dist(6i, Cj, P^) < dist(6i, Cj, Pfc). 


We now order the independent paths in increasing (6, c) order of their values. Let Vindep = 
(Pi,..., P^l where (61, ci) < (62, C2) < ... < {b^, ce). Our next goal is to show that the lengths of 
the paths in the ordered set indep is strictly monotone decreasing, i.e., |Pi| > ... > \Pi\. Towards 
this, we establish the next important lemma. 
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Lemma 3.44 Let Pi, Pj € VvX Pnodet such that Pi does not interfere with Pj and bi < bj. Then, 
F,{Pj),F2{Pj) i Pi. 


Proof: Let = Pi(Pfc), ifc = F2{Pk), Dk = D{Pk) for k G Note that since P^ ^ Pnodet, 

it holds that Xk = b^ (where Xk = x{Dk)) for k G {i,j}. Since Pi is a new-ending replacement 
path, it diverges from tt{s,v) above bj and hence also above ej. Therefore, ej ^ Pi. So it remains 
to consider tj. Assume towards contradiction that tj G Pi. Since Pi does not interfere with Pj, it 
holds that tj G Did Dj (i.e., Di and Dj are dependent). In particular, since Pi ^ Pnodet, by Cl. 
3 . 15 | ( 3 . 1 ), it holds that tj G Di[xi, c*]. Hence, tj appears on Di strictly above L. Note that since Di 
and Dj are dependent and Xi < Xj, by Cl. 3 . 10 K a), we have that e* G Tt{xi, Xj). So far, we have the 
following: Cj is above Cj on 7r(s, v) and tj is above ti on Di. We first claim that in a such a case Di 
and Dj are neither rev-interleaved nor (x, y)-interleaved. We prove this by contradiction. Let w be 
the first point on Di that is common with Dj. Since tj G DiODj, it holds that tj G Di[w, yi]. Since 
ti appears after tj on Di, it also holds that ti G Di[w,yi]. But if Di and Dj are rev-interleaved or 


(x, y)-interleaved, Di[w,yi] is part of the ZDj-excluded region, leading to contradiction by Cl. 3.12 


We next claim that L- 


G Dj. 


To see this, assume towards contradiction otherwise. First, 


observe that in such a case, Di and Dj are also not y-interleaved (as otherwise Di[w, yi] = Dj[w, yj] 
and since ti G Di[w,yi], it holds that also ti G Dj). Hence by Cl. 3 T^a), Di and Dj must be 


fw-interleaved. Since ti G Di\ Dj, we end with contradiction by Cl. 3.12 


Hence, we have that both second failing edges are common to the two detours, i.e., ti,tj G 
Di n Dj. Let Q = Ps,v,{ej,ti\ be the s — v replacement path concerning the pair Cj and ti G Dj. 
Note that Q is not necessarily a new-ending path. We have the following. 


Claim 3.45 tj G Q. 


Proof: Assume towards contradiction that tj ^ Q. Since Pj is a new-ending path, it diverges from 
Dj before the failing edge tj and hence also above the failing edge U, concluding that U ^ Pj. 
Combining with the contradictory assumption, it holds that ej,ti,tj ^ Q,Pj. By the optimality of 
Q and Pj, \Q\ = \Pj\. By the ordering of Alg. Cons2FTBFS, Q was selected before Pj, since ti is 
strictly below tj. Hence, we end with contradiction to the construction of Pj by Alg. Algorithm 
Cons2FTBFS, as the new edge LastE(P,) could have been avoided. | 


We therefore have that the failing edge tj = (^1,^2) is common with both of the replacement 
paths Q and Pi, i.e., tj G Q (1 Pi. We proceed by showing that this implies the existence of two 
q2 — V shortest paths in G \ {ei,ej,ti}, Z\ = Pi[q2,v\ and Z2 = Q[q2,v\- 


To prove this, it remains to show that e* ^ Z2 (we have already shown that ej ^ Pi). By Claim 
3 . 5 , the replacement path Q has a unique divergence point b from 7r(s, v). Since q2 is an endpoint of 
an edge on the detour Dj, it implies that q2 appears on Q strictly after it diverges from 7r(s, v). Let 
b' be the first point on Q[q2,v\ that is common with 7r(s,u). By the uniqueness of the divergence 
point b, the point 6' is not a divergence point, and hence Q[b\v] = 7r(6',u). Hence, assuming that 
Ci G Z2 it holds that e, G Q\b',v\, but as ej is below on it{s,v), we get that Cj G Q, contradiction 
to the fact that Q G SP{s,v,G \ {ej,ti}). Hence, by the optimality of these subpaths, |Zi| = |Z2|. 
Finally, note that by the ordering of the construction of Alg. Cons2FTBFS, the pair edge {ej,ti) 
was considered before {ei,ti), as Cj is below Cj. Hence, Pi was constructed after Q. Contradiction 
to the selection of Pj by Alg. Cons2FTBFS (as its last new edge could have been avoided). The 
lemma follows. | 


We then have the following. 


46 













Lemma 3.46 |Pi| > ... > \P(\ (or alternatively, if{bi,Ci) < ihj,Cj) then \Pi\ > \Pj\)- 


Proof: Assume towards contradiction that there exist two paths Pi,Pj £ indep such that i < j 
and \Pi\ < \Pj\. First, consider the case where bi = bj. Let Di = D(Pi) and Dj = D{Pj). Let Dk G 

Ci,Cj G Dk- In addition, by 


{Di, Dj} be the detour whose y-value is deeper on 7r(s, v). By Cl. 3.43 
the ordering, Cj appears on D^ before Cj. We now claim that Fi{Pj),F2{Pj) ^ Pi- By the uniqueness 
of the TT-divergence point bi = Xi, it holds that F\{Pj) (that appears below Xi on 7r(s,u)) is not in 
Pi- Next, assume towards contradiction that F2{Pj) G Pi- Since Pi does not interfere with Pj, it 
holds that F2{Pj) G A n Dj. Let F2{Pj) = {qi,q2)- By Cl. | 3 . 6 | Di[xi,q2] = Dj[xj,q2]- Since c* 
appears on Dk above Cj, it holds that it is also above F 2 {Pj), leading to contradiction as Pi[ci,v] 
is edge disjoint with A- Hence, we have that Fi{Pj), F2{Pj) ^ Pi- Finally, since we assume that 
1^*1 < |P;j, we end with contradiction to the selection of Pj by Alg. Cons 2 FTBFS, which selects 
the replacement path whose D-divergence point from Dj is as closest to Xj as possible (and Ci is 
strictly closer). 

Next, consider the complementary case where bi < bj. By Cl. 3 . 44 , Fi{Pj),F2{Pj) are not on 
Pi- Since \Pi\ < \Pj\, we end with contradiction to the construction of Pj since Alg. Cons2FTBFS 
selects the replacement path whose 7 r-divergence point from 7 r(s, v) is as closest to s as possible. 
The lemma holds. | 


Towards bounding the number of independent paths, we classify them into n' classes Pi,..., P„/ 
for some parameter n' to be revealed later. These classes cover all the independent paths Vindep- 
In each Vi class, there is a special path representor P* , that guaranteed to be sufficiently long. 
We now describe the path classification in details. Initially, set ^indep, the (6, c) ordered 

set Vindep. At step T > 1 , we are given a (6, c) ordered set T^J^dep consisting of the remaining 
independent paths that have not been yet assigned to any of the classes. Let Pf be the first path 
in this increasing (6, c) ordering Vf^dep- class Vt consists of the representor Pf and the paths 
P in that satisfy at least one of the two conditions: 


( 01 ) c{P)GDiPf). 

( 02 ) D{P) and D{Pf) are x-interleaved. 


I.e., if P satisfies ( 01 ), ( 02 ) or both, it is added to the class Vr- This process continues, until 
all independent paths are assigned to some class. Let n' be the last time step of the classification 
process, where Vindep = Ur=i every r G {!,..., n'}, let L,- = | A| be the number of paths 

in the class. We now establish several useful properties about these classes and then use it to 
bound the total cardinality of the independent set Vindep- 


Claim 3.47 For every r and for every j G {r, ..., n'}, it holds that \Pf\ > \P'\ for every P' G 
A\{p;}. 


Proof: Note that P, 


indev 


claim holds by Lemma 


3.46 


J^=r '^k- Since P* is the first path in the (6, c) ordered set 

I 


P'!' J 

indep'> 


the 


For every i G {!,...,n'}, we next define two subsets of vertices Vi{i) and V2{i) appearing 
on the paths of the class Pj. The first set Vi{i) consists of the suffixes Pk[ck,v\ \ {u} for every 
Pk ^ 'Pi} {Pf}- The second set V2{i) consists of the suffix of the representor Pf[bi,v] where bi is 
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its TT-divergence point. Formally, let 
Vi{i) = {Pk[ck,v] \ {u} 


Pk€Vi\ {P*}} and V2ii) = P*[bi,v] \ {t;}. 


( 15 ) 


Our goal is to show that the union of these sets, namely, Vk = Ur=i for k G {1, 2 }, is sufficiently 
large. We first consider the sets Vi{i)- 

Claim 3.48 For every i G {1, ..., n''\: 

(a) Vi{i) n Vi{j) = 0 for every j ^ i and 

(b) \vm = n{L‘i). 


Proof: Part (a) follows immediately by Obs. 3.42 Consider part (b). We classify the Li paths in 
Vi into two sets depending on the condition they satisfy when joining the class. Let V} be the set 
of paths in Vi that satisfy (01) and let Vf be the complementary set of paths. 

First, assume that the majority of the Lj paths belongs to the first class V} (i.e., satisfy condition 
( 01 )). Hence, \Vl\ > Lj/2. Note that the D-divergence point of each path in this class appears 
on Di = D{Pf). By the uniqueness of the D-divergence point (see Lemma 3 . 15 ), the paths in 
Vl = {Pi,..., Pfc} can be ordered in incre asing distance from y{Di). Hence, \Pj[cj,v\ \ {i;}| > j — 1 
for every j G {1,..., A:}. By applying Obs. 3.42 again, we get that |Vi(i)| > | IJi=i -PilO'W] \ {'^11 = 


Z)j=i l-fjIO'W] \ {^}l P (^ “ 1 )^/ 2 - Since k > Pi/2, the claim holds. 

Next, consider the complementary case, where the majority of the paths in this class are in P/, 
hence they all satisfied the condition ( 02 ). Note that for every P, P' G P/, it holds that D{P) and 
D[P') are ^-interleaved (since they are x-interleaved with D{Pf)). Let D* be the detour of some 
path P' in the set Vf whose y-value is the deepest on 7r(s, v). Since for every P G P/, it holds that 
D{P) and D* are x-interleaved, by Cl. | 3.43 it holds that the D-divergence point c( P) ap pears on 
D* for every P G P/. By applying the uniqueness of the D-divergence point (Cl. 3 . 15 ) and the 


disjointness of the segments P[c(P),i;] \ {u} (Obs. 3 . 42 ), the argument follows the exact same line 
as for the V} class. Part (b) holds. | 

We proceed by analyzing the sets V2(*)- 


Claim 3 


■49 \V2ii)\ > 


- 2 . 


Proof: Recall that = [J]LiT^j- Since P* was the first path in the increasing ( 5 , c)-ordering 

of it fiolds that b{P*) < b{P) for every P G ^\^dep- 

Since every path P G Pj is not in Vnodet, we have that P[s, &(P)] = 7r(s, b{P)] and hence letting 
b* = b{Pf), we get that Pf[s, b*] = P[s, b*] for every P € Vi. 

it holds that the paths of the (6, c) ordered set T^l^dep correspond to a strictly 


By Lemma 


3.46 


monotone increasing in lengths sequence = {Pi = P*, P2,..., Pl'} of L' = Yl]^=i paths 

such that |Pi| > IP2I > ... > \Pfi\. Since all these paths share the prefix P*[s,b*], it also holds 
that |P{| > IP2I > ... > \Pf/\ where P(, = Pk[b*,v] for every k G { 1 ,...,P'}. Concluding that 
|V2(^)| = \Pi[b*,v] \ {u}| = |P{| — 1 > P' — 2 . The claim follows. | 

The next claim is useful for bounding the cardinality of the V2{i) sets. 

Claim 3.50 Let Pf^, P*^, P*^ such that ii < 12 < h- Let bj = b{P*.), Cj = c{P*.) and Dj = D{P*,) 
for j G { 1 , 2 , 3 }, then flLi Dk[bk, Cfc] = 0 . 
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Proof: Assume towards contradiction that there exists a vertex w G 0^=1 c^]. Let Xj = 

x{Dj) and yj = y{Dj) for j G { 1 , 2 , 3 }. Since P*. ^ Vnodet-, Xj = bj for j G { 1 , 2 , 3 }. We first claim 
that xi < X2 < X3. Since P| does not satisfy condition ( 02 ) for the class it holds that Di and 
D2 are not x-interleaved, i.e, xi ^ X2- Combining this with the fact that precedes P*^ in the 
increasing (6, c) ordering, we get that xi < X2- In the same manner, we also have that X2 < X3. 

We next claim that yi < y2 < ys- Consider first yi and y2- There are two alternative cases. 
Case (a): yi > y2- Then D2 is nested in Di, since these detours are dependent, we end with 
contradiction to Cl. 13.91 

Case (b): yi = y2- Since w G Pi[xi,ci] nP2[a^2)C2], it holds that C2 G D2{w,y2] = Di[w,yi], where 
the last equality holds by Cl. 3 . 6 , We therefore have that Pj* satisfies condition ( 01 ) for the class 


Pjj. Leading to contradiction to the selection of P*^ by the classification procedure. Hence, we 
conclude that yi < 2/2 ■ By applying the same argument for P^* and P^*, it also holds that 2/2 < 2/3 ■ 

Since Di,D2 are dependent and interleaved such that 2/1 < 2/2, by Cl. 3 . 10 [ b), 62 G 7 r( 2 /i, 2 / 2 )- 
I.e., 62 appears below 2/1 on Tr{s,v). In the same manner, since D2 and P3 are dependent and 
interleaved such that X2 < X3, by Cl. 3 . a), 62 G 7r(x2,X3), i.e., 62 appears above X3 on Tr{s,v). 

We now claim that 2/1 > X3 and hence establishing the claim as tt(2/1,2/2) O tt{x2,X3) = 0 . To see 
why 2/1 > X3, assume towards contradiction that 2/1 < X3, then Di and P3 are non-nested and by 


Cl. 3 . 8 , they are independent, in contradiction to the existence of w in the intersection. The claim 


holds. 


I 


We are now ready to bound the number of independent paths. 

Claim 3.51 (aj | Vi U V 2 I = H (Y:ti + C L*)) . 

(b) Nindep = 

Proof: Consider (a). Our strategy is follows. We consider some vertex u G Vi U V2 and bound the 
number of sets Vi{j), V2{j), i G { 1 ,... ,n'} in which it appears. Let = {j \ u £ Vi(j)} and 

= {j I tt G V2{j)'\ be the set of indices corresponding to the Vi(j),V2(j) sets in which u 
appears (respectively). 

First observe that by the disjointness of the V\{j) sets (established in Cl. 3 . 48 [ a)), it holds that 
u can appear in at most one set Vi{j), hence \J^{u)\ < 1 . 

We next claim that u can appear in at most two additional sets V2(H), F2(*2) for some ii,i2 G 
{!,... ,n'}. I.e., \j‘^{u)\ < 2 . To see this, assume towards contradiction that u appears in three 
sets V2 (h), L2(*2), L2(*3)- Without loss of generality, assume that p < Z2 < *3. Let = D{P*^), 
bk = b{P* ) and Ck = c{P* ) for A: G { 1 , 2 , 3 }. Since u G f]^^iP* [bk,v], by the disjointness of the 


suffixes P* [ck,v] (see Obs. 3 . 42 ), it holds that u must appear in the detour segment of these paths, 


namely, that u G nA:=i Cfc] = nfc=i ^kibk, Cfc], where the last equality holds by Cl. 3.15 ’ 3 . 1 ), 

leading to contradiction by Cl. | 3 . 50 [ We therefore have the following. 


3-|ViUV 2| > ^ (|:^'(n)| + |j2(«)|) 

'USV1UV2 j=i fc=i 


Part (a) follows by combining this with Cl. 3 . 48 [ b) and Cl. 3 . 49 [ Finally, since |Vi U V2I < n, by 
using Lagrange multiplier, we get that Nindep = YAi=i as required. | 
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3.8 Bounding the number of vr-interfering paths 


In this section, we bound the number of interfering paths of type tt. Recall that 

I^ = {PeVy I if F2{P') G P \ D{P) for P' G Vy then Pi(P) G Tr{y{D{P')), u)}. 


Let Pi G Xjr be such that Pi vr-interferes with P2. Let ei = Pi (Pi), 62 = Pi(P2) and let xi,yi 
(resp., X2,y2) be the first and last point of the detour P(Pi) (resp., D{P2)). 


To bound the number of vr-interfering paths, we show that an interference of type tt induces 
a strict detour configuration which implies that two paths Pi, P2 G Xjr that are vr-interfered by 
a third path P3, are independent. This key observation enables us to treat this class as a nearly 
independent set of paths. In particular, equipped with this observation, only minor modifications 
are required to employ the quantitative analysis of Sec. | 3 . 7 |to the setting of vr-interference. 


Observation 3.52 //Pi tt -interferes with P2, then: (a) e\ G 7r(y2,2/i) o,nd 
(b) 62 £ 7r{s,xi). Hence, in particular X2 < xi. 


Proof: Consider (a). By the definition, ei G 7r{y2,v) and ei G 7r{xi,yi) hence we conclude that 
Cl G 7 r{y2,yi). The claim holds. We now turn to consider part (b). Assume towards contradiction 
that 62 ^ 7r(s,xi). Let P2(P2) = iQi,q2)- We distinguish between two cases. 

Case ( 1 ): Di and D2 are independent. There are two s — q2 paths in G \ {61,62}, namely, Qi = 
7 r(s,xi) o Pi[xi,ci] o Pi[61,^2] and Q2 = tt{s,X2) o D2[x2,q2\- By the optimality of Qi, it holds 
that Qi G SP{s,q2,G \ P(Pi)). Since 62 ^ 7r(s,xi), it also holds that 62 ^ Qi. In addition, by 
the optimality of Q2, it holds that Q2 G SP{s,q2,G \ {62}). By part (a), 61 G TT{y2,yi) and hence 
ei ^ Q2- Since Pi and P2 are independent, we also have that P2(Pi) ^ Q2. Hence, overall we 
have that Qi,Q2 G SP{s,q2,G\ (P(Pi) U {62})), concluding that \Qi\ = \Q2\- This case is further 
divided into two subcases. 

Case ( 1 . 1 ): xi / X2. If xi < X2 (resp., X2 < xi) , then we end with contradiction to the selection 
of Ps,v,{e2} (resp., Ps,v,F(Pi)) by Alg. Cons2FTBFS, since there exists an alternative shortest-path 
whose TT-divergence point from Tr{s,v) is strictly closer to s. 

Case (1.2): xi = X2. Note that since Pi ^ Pnodet, it holds that ci xi and specifically, ci is strictly 
inside Pi. Since |( 5 i| = IQ2I) we end with contradiction to the selection of Pi by Alg. Cons2FTBFS, 
since there exists an alternative shortest-path, namely, Q2°Pi[q2,'v] whose D-divergence point from 
Pi is xi, i.e., strictly above ci on Pi. 


Case ( 2 ): Pi and P2 are dependent. Case (2.1): xi = X2. Let w be the last common vertex of Pi 
and P2. Since P2(P2) G P2 \Pi, so P2(P2) G D2[w,y2], leading to contradiction by Cl. 3.12 Case 


( 2 . 2 ): xi < X2. Then, since y2 < yi by part (a), P2 is nested in Pi, leading to contradiction by Cl. 
3 . 9 , Case ( 2 . 3 ): xi > X2. By claim Cl. 3 . 10 [ a), we have that 62 G tt{x2,xi), contradiction to the 
fact that 62 ^ 7r(s,xi). The claim follows. | 


By Obs. 3 . 42 [ we have the following. 


Observation 3.53 //P/ = Pi[ci,v] and Pj[ci, v] intersect, then Pi interferes with Pj or vice-versa, 
namely either P2(Pj) G P} or F2{Pj) G P/. 

Recall that we consider only (vr, D)-replacement paths for which P2(Pj) G D{Pi) and hence F2{Pi) ^ 
7r(s, v). We now provide the key lemma which enables us to bound from above the set of vr-interfering 
path. It states that the suffix P'- = Pj\cj,v] of two paths Pj^ and Pj^ that are vr-interfered by the 
same path Pi G Xtt, are disjoint. 
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Lemma 3.54 Let Pji,Pj2 £ P-k be two paths such that there exits Pi G 1 -,^ that interferes with 
Pji ! P’j2 ■ Then, Pj^ and Pj^ are independent and hence = Pj^ [cj ^, v] and Pj^ = Pj^ [cj ^, u] are 
disjoint (besides the common vertex v). 


Proof: Note that by Lemma 3 . 53 , if Pj^ and Pj^ are independent then the segments P(j^ \ {?;} and 
P(^ \ {u} are disjoint. Assume towards contradiction that Pj^ and Pj^ are not independent and 
without loss of generality assume that Pj^ interferes with Pj^. Since Pj^ G Tn, it must hold that 
Pj-^ vr-interferes with Pj^. For ease of notation, let Pi = Pj, P2 = Pj^ and P3 = Pj^. Let a = Pi (Pi) 
and Xi,yi denote the first (resp., last) point of the detour Di = D{Pi) for i = { 1 , 2 , 3 }. By Obs. 


3.52 1 ), since P2 vr-interferes with P3, it must hold that 62 G 7 r{ys,y2). On the other hand, since 
Pi TT-interferes with P2, by Obs. 3 . 52 | ( 2 ), 62 G 7r(x2,xi). We now show that these two requirements 
contradict each other by showing that vr(y3,2/2) O 7r(x2, xi) = 0 . Specifically, we show that xi is not 
below 2/3 on 7 r(s,u), i.e., xi < 223- 


Assume towards contradiction that xi > 2/3, i-e.. Pi and P3 are non-nested. By Cl. 3.8 


we 


then have that Pi and P3 are also independent. Let F2{P‘s) = (91,92), since Pi interferes with P3, 
it visits the failing edge F2{Pz)-, i-e., F2{P'i) £ Pi- We now present two 2/3 — 92 shortest-paths in 
G \ {ei,e3,P2(Pi)}, namely, Zi = Pi[ 2 / 3 , 92 ] = vr(2/3,xi) o Pi[xi,ci] o Pi[ci,g2] and Z2 = P 3 [y 3 , 92 ]- 
Since 63 appears above 2/3 on tt{s,v) and Pi[xi,u] is edge disjoint with 7 r{s,v), we get that 63 ^ 
Zi. In addition, since P3 and Pi are independent and Z2 is edge disjoint with Tr{s,v), we have 
that Pi (Pi), P2(Pi) ^ Z2- By optimality of the replacement paths Pi and Ps,v,{e3}^ we have that 
\Zi\ = \Z 2 \. Hence, we end with contradiction to the selection of Pi by Alg. Cons2FTBFS, as there 
exists an alternative shortest path 71(5,2/3) o Z2 o Pi[g2,u] in G \ P(Pi), whose vr divergence-point 
is strictly above xi. The claim follows. | 


Using Lemma 3 . 54 , the analysis of Sec. | 3 . 7 | extends to the setting of 7r-interference with only 
minor modifications. We now briefly sketch the main steps of the analysis and highlight the require 
modifications. 

Let = {Pi, - - -, Pi} be the increasing (6, c)-ordered set of paths as in Sec. 3 . 7 , where 
i = IXttI- Hence, 61 < 62 < ... < 6^. Since Pi ^ Vnodet-, h holds that bi = x{D{Pi)). Note that if 
a path Pi vr-interferes with Pj then by Obs. 3 . 52 , bi is necessarily below bj on tt(s,v). Also note 


that since Pi is in Xt^, if Pi interferes with Pj then necessarily it is an interference of type vr. We 
have the following. 


Observation 3.55 Pi does not interferes with Pj for every j > i. 


The last observation implies that the proof of Lemma 3.46 established for the case of independent 
paths, extends as is to the case of vr-interfering sets X^-. 

Lemma 3.56 |Pi| ^ ^ II (or alternatzvely, if (hi,Ci^ ^ }bj,Oj} then [X^l IX^I^. 

Towards bounding the number of independent paths, we classify them into n' classes Pi,... ,P„/ 
for some parameter n' to be revealed later. These classes cover all the independent paths X^^. In 
each class, Pj, there is a special representor Pf. The classification procedure is identical to that 


of Sec. 3.7 For every i G {!,...,n'j, we define two subsets of disjoint vertices Vi{i) and V2{i) 


according to Eq. ( 15 ). 


The next auxiliary claim extends Cl. 3.50 to the case of vr-interference. Let Pf^,P*^,P*^ such 
that H < V2 < *3. Let bj = b{P*), cj = c{Pf) and Dj = D{P*,) for j G { 1 , 2 , 3 }. 
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Claim 3.57 

'iS 


For every triple of path 
(V r\k=i^k[bk,ck] = 0 . 
(^)r\LiPk[ck,v] = ^. 


Pf, we have that: 


Proof: Part (1) follows immediately by Cl. 3.50| (the proof of this claim did not use the fact that 
given paths are independent). Consider Part (2). Assume towards contradiction that there exists 
a vertex u ^ f]l=lPk[Ck,v]. 

We now claim that the existence of the common vertex u, implies that P 3 vr-interferes with 
both Pi and P 2 . Assume towards contradiction, that P 3 does not 7 r-interfere with Pj for j G {1, 2}. 


By Obs. 3.55 Pj does not interfere with P 3 . Hence, P 3 and Pj are independent. By Obs. 3.42[ 


we then have that P 3 [c 3 ,u] and Pj[cj,v] are disjoint, leading to contradiction that u is a common 
vertex in the intersection. Hence, P 3 interferes with Pi and P 2 . Since P 3 G Xn-, it holds that this 


interference is of type vr. By Lemma 3.54, we get that Pi[ci, v] and P 2 [c 2 , u] are disjoint, leading to 
contradiction again to the existence of the common vertex u. The claim follows. | 


Using Cl. 3.57 we are now ready to bound the cardinality of the vertex sets Vi{i) and V 2 {i)- 


Claim 3.58 |Ui(i)| = 


Proof: We classify the Li paths in Pj into two sets depending on the condition they satisfy when 
joining the class. Let V} be the set of paths in Pj that satisfy (01) and let Vf be the complementary 
set of paths. 

First, assume that the majority of the Lj paths belongs to the first class V} (i.e., satisfy condition 
(01)). Hence, |P/| > Lj/2. Note that the D-divergence point of each path in this class appears 
on Pj = P(P*). By the uniqueness of the D-divergence point (see Lemma 3.15), the paths in 
Pj^ = {Pi,..., Pk} can be ordered in increasing distance from y{Di). Hence, \Pj[cj,v\ \ {u}| > j — 1 
for every j G {1,..., k). By Cl. 3.57'2), every vertex u G Ui(*) is counted at most twice by P' and 


P(, where P^ = /(Pj) or vice-versa. Hence, |Ui(i)| = | Uj=i Pj[cj,v]\{v}\ > \'YPj=i > 

(fc — 1)^/4. Since k > Lj/2, the claim holds. The complementary case, where the majority of the 
paths in this class are in Pf, holds analogously. | 

Let Vk = Ur=i ^kii) for k G {1, 2}. We next bound the number of independent paths by showing 
that \Vk\ is large for k G {1,2}. 

Claim 3.59 jaj |Vi U V2I = H {Lj + i • Lj)) . 

(h) \I^\ = 0(n2/3). 

Proof: Consider (a). Our strategy is follows. We consider some vertex u G Vi U V2 and bound the 
number of sets Ui(i), V2{i), i G {1, ..., n'j in which it appears. By Cl. 3.57| (a) and (b), a vertex u 
may appear in at most two Pj[6j,Cj] segments and in at most two Pj[cj,u] segments, hence overall 
it may be re-counted four times by the sets of Ui(i), V2(*)- The claim follows now the exact same 
line as the proof of Cl. 
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We are now ready to complete the proof for Thm. o 

Proof: [Thm. o By Obs. |3.17[ Lemma [3.19[ Cor. |3.25[ Cor. |3.41[ Cl. |3.51} b) and Cl. |3.59[ b), 
we have that for every v, the number of new-ending paths in P^ is 0(n^/^). Overall, we have the 
following. \E{H)\ = [Tq U U^ueV' UpeP„ LastE(P)| = 0(n®/^). The theorem follows. | 


52 






























4 Lower bound for /-failure FT-BFS structure 


In this section, we consider a lower bound constructions for FT-MBFS structures resilient to up to 
/-faults for general / > 2 and for every number of sources a. These construction extends the 
construction of |10j for the single failure case. 

Theorem 4.1 For every n > o(l) and 1 > /, there exists an n-vertex graph G*j{V,E) and a source 

set S CV such that any f-failure FT-MBFS structure with respect to S has 

edges. 

Note that for / = Il(logn) the claimed bound becomes trivial. Hence we will assume that / = 
o(logn). We begin by showing the construction for the single source case and then extend it to the 
case multiple sources. Our construction is based on the graph Gf{d) = {Vf,Ef), defined inductively. 
For / = 1 , Gi{d) = {Vi,Ei) consists of three components: ( 1 ) a set of vertices U = {nj,... 
connected by a path Pi = [u},..., ( 2 ) a set of terminal vertices Z = {zj ,..., Zd} (viewed by 

convention as ordered from left to right), and ( 3 ) a collection of d vertex disjoint paths Qj of length 
\Q\\ = Q + 2 ■ {d — i) connecting u\ and Zi for every i G {1 ,..., d}. The vertex r(Gi(d)) = u\ is 
fixed as the root of Gi((i), hence the edges of the paths Q\ are viewed as directed away from u\, 
and the terminal vertices of Z are viewed as the leaves of the graph, denoted Leaf(Gi((i)) = Z. 
See Fig. [T^for illustration. 

Overall, the vertex and edge sets of Gi{d) are Vi = U VJ Z VJ Uf=i ^(Qj) Ei = E{Pi) U 

uUm})- 

For ease of future analysis, we assign labels to the leaves Zi G Leaf(Gi((i)). Let Label/- : 
Leaii{Gf{d)) —)• E{Gi{d))^. The label of each leaf corresponds to a set of edge faults under 
which the path from root to leaf is still maintained (this will be proved later on). Specifically, 
Labeli(zj, Gi(d)) = for f < d — 1 and Labele(zj, Gi((i)) = 0 . In addition, define 

P{zi, Gi{d)) = Pi[r(Gi(d)), u)] o Qj to be the path from the root u\ to the leaf Zi. 

To complete the inductive construction, let us describe the construction of the graph Gf{d) = 
for / > 2 , given the graph G/_i(d) = (V/_i, P/_i). The graph Gf{d) = {Vf,Ej) 
consists of the following components. First, it contains a path P = [u{,... ,u'^], where the node 
x{Gf{d)) = u( is fixed to be the root. In addition, it contains d disjoint copies of the graph 
G' = Gf-i{d), denoted by G/ ..., G'^ (viewed by convention as ordered from left to right), where 
each G[ is connected to u{ by a collection of d vertex disjoint paths Q{, for i G {I,..., d}, connecting 
the vertices u{ with r(G(). The length of Q{ is \Q{\ = {d — i) ■ depth(G/_i(d)). The leaf set of the 
graph Gf{d) is the union of the leaf sets of G/s, Leaf (G/(d)) = Uj=i Leaf (G'). 

Next, define the labels Labelf{zi) for each Zi G Leaf (G/(d)). For every j G { 1 ,..., d — 1 } and 
any leaf Zj G Leaf(G' ), let Lahelf{zj,Gf{d)) = o Lahelf_i{zj,G'j). 

Denote the size (number of nodes) of Gf{d) by N(/, d), its depth (maximal distance between 
two nodes) by depth(/, d), and its number of leaves by nLeaf (/, d) = |Leaf (G/((i))|. Note that for 
/ = 1 , N(l, d) = 2 d -|- Yli=i 4 -|- 2 • (d — z) < 7 df, depth(l, d) = 6 -|- 2 (d — 1 ) (corresponding to the 
length of the path Q}), and nLeaf (I, d) = d. We now observe that the following inductive relations 
hold. 


Observation 4.2 (a) depth(/,d) = 0{d^). 

(h) nLeaf (/,d) = d-^. 
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(c) N(/, d) = c - for some constant c. 

Proof: (a) follows by the length of Q{, which implies that depth(/, d) = d ■ depth(/ — l,d). (b) 
follows by the fact that the terminals of the paths starting with u(,... ,u^ are the terminals of the 
graphs G'l,... which are disjoint copies of G{f — l,d), so nLeaf(/,d) = d ■ nLeaf(/ — l,d). 
(c) follows by summing the nodes in the d copies of G[ (yielding d ■ N(/, d)) and the nodes in 
d vertex disjoint paths, namely Qi,... ,Q^ of total X^f=i(d — i)depth(/ — l,d) nodes, yielding 
N(/,d) = d - N(/ - l,d) + Yli=i{d - i)depth{f - l,d). | 

Consider the set of A = nLeaf(/, d) leaves in G{f,d), Leaf(G(/, d)) = Leaf (G') = 

{zi,..., z\}, ordered from left to right according to their appearance in G{f, d). 

Lemma 4.3 For every Zj it holds that: 

( 1 ) The path P(zi,G(f,d)) is the only u{ — Zj path in G(f,d). 

( 2 ) P{zj,G{f,d)) CG\L3 .helf{zj,G{f,d)). 

( 3 ) P{zi,G{f,d)) g G\ Label/(2;j,G(/,d)) for every i > j. 

( 4 ) \P{zi,G{f,d))\ > \P{zj,G{f,d))\ for every i < j. 

Proof: We prove the claims by induction on /. For / = 1 , the lemma holds by construction. 
Assume this holds for every f'<f — l and consider G{f,d). Let P* = [u(,... ,u^], and let 
G[,... ,G'^ he d copies of the graph G{f — 1 , d), viewed as ordered from left to right, where G'- is 

connected to Uj. That is, there are disjoint paths Qj of monotonely increasing length connecting 
Uj and r(G'), for j G [l..d]. 

By the inductive assumption, there exists a single path P{zj,Gj) between the root 3:(G') and 

the leaf Zj, for every j G [l..d]. We now show that there is a single path between r(G(/, d)) = u( 
and Zj for every j G [l..d]. Since there is a single path P' connecting r{G{f,d)) and ^(G'), where 

pi _ o qJ, it follows that P{zj, G{f, d)) = P' o P{zj, G' ) is a unique path in G(/, d). 

We now show ( 2 ). By the inductive assumption, P{zj,Gj) G G \ Labelj_i(2:j, G' ). Since 
Label J (zj, G(/, d)) = o Labelj_i(2:j, G'), it remains to show that ej = ^ P' 

for j < d — 1 . Since P' diverges from P* = [u {,..., at point Uj, it holds that ej ^ P'. 

Next we consider ( 3 ). Let Zi = {zi G Leaf (G' ) \ i > j} be the set of leaves to the right of Zj 
that belong to G'-, and let Z2 = {zi G Leaf (Gj(d)) \ Leaf (G' ) \ i > j} be the complementary set 
of leaves. By the inductive assumption, P{zi,G'j) ^ G \ Labelj_i(2:j, G' ) for every Zi G Zi. Since 
the order of the leaves in G'- agrees with their order in G{f,d) and as P{zi,Gj) C P{zi,G{f,d)) 
and also Labelj_i(zj, G' ) C Laibelf{zj,G{f,d)), the claim holds for the set Zi. Next, consider 
the complementary leaf set Z2 = {zk}. Since the divergence point of P{zk,G{f,d)) and P* is 
at u'l for k > j, it follows that ej = G P{zk,G{f,d)), and thus P{zk,G{f,d)) ^ G \ 

Label J (zj, G(/, d)) for every k > j. 

Finally, consider ( 4 ). Let Z{ = {zi G Leaf (G') \ i < j} be the set of leaves to the left of Zj 
that belong to G'- and let Z2 = {zi G Leaf (G/(d)) \ Leaf (G' ) \ i < j} be the complementary set 
of leaves. First consider Zi G Z[. Then, by the inductive assumption, P{zi,G'j) > P{zj,G'j). Since 
P{zi, G(/, d)) = P'oP{zi, G' ) and P{zj, G{f, d)) = P'oP{zj, G' ) for P' = [u{, ..., uJJoQJ, the claim 
holds for the set Z\. Consider next the complementary set Z^ = {zk} which are in G'^ for k > j. 
Since for every such qI = [u{,r(G(,)] it holds that \qI\ > \Ql_^_l\ + depth(G(._,_^) > P{zj,G{f,d)), 
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the claim follows. | 


Finally, we turn to describe the graph G*j{V, E) which establishes our lower bound. The graph 
G*j{V, E) consists of three components. The first is the graph Gf{d) for d = , where 

c is some constant to be determined later. By Obs. |4.2[ n/2 < \V{Gf{d))\. Note that d < 

for sufficiently large n, hence M(/, d) = c-d-f~^^ < 5n/8. 
The second component of G*j:{V, E) is a set of nodes X = {xi,..., x-^ and an additional vertex v* 

that is connected to and to all the vertices of X. The cardinality of X is x = n — N(/, d) — 1. 
The third component of G*j-{V, E) is a complete bipartite graph B connecting the nodes of X with 
the leaf set Leaf (G/(ci)), i.e., the disjoint leaf sets Leaf(G']^),... ,Leaf(G^). The vertex set of the 
resulting graph is thus V = V{Gf{d)) U {u*} U X and hence \V\ = n. See Figures 11 and 


illustration of G 2 and Gj. 


12 


for 


By Prop, (b) of Obs. 4.2, nLeaf(G9 = d^ = |'(n/2c)^/('^+^^]> {n/ 2 cy/G+^)^ hence \E{B)\ > 


(3n/8 — 1) • (n/2c)-^/^-^'*’^^ = 0{n?‘ 


We now complete the proof of Thm. 4.1 for the single source case. 


Proof: [Thm. |4.1| for cr = 1] We show that every /-edge FT-BFS structure H with respect to 
s = of G*j-{V,E) must contain all the edges of E{B). Let be the d copies of 

G{f — l,d). Let z* be the rightmost leaf in G*j{V,E) (i.e., in Leaf(G'^)). We hrst show that 
e' = (xj,z*) must be included in any FT-BFS structure, for every i G { 1 ,...,|X|}. Assume, to¬ 
wards contradiction, that there exists a FT-BFS structure not using e(, i.e., H C G*^{V^E) \ {e'}. 

Consider the failure of the edge By Lemma 4.3, P{z*,G{f,d)) is the unique shortest- 

path between r{G{f,d)) and z*, and any other s — z' path is strictly longer. Hence, we get that 
dist{s,Xi, H \ {e(}) > dist{s, Xi, G*j:{V, E) \ {e(}), in contradiction to the fact that H is a FT-BFS 
structure. Next, consider any specific edge ejj = {xi,Zj) where Zj G Leaf(G') is not the right¬ 
most leaf, and let E = Labelf{zj,G{f,d)) be the set of edge faults. Note that by construction, 
0 < |Labelj-( 2 ;j, G(/, fi))| < /. It then follows by Lemma 4.3 that P{zk,G{f,d)) ^ G{f,d) \ P for 
every k > j. Thus, P{zk, G{f, d)) ^ Gj \E as well. In addition, P{zk, G{f, d)) > P{zj, G(/, d)) for 
every k > j, which implies that dist(s, Xi, G”\E) > dist(s, Xj, G*j\E) for every graph G" C G\{ejj}. 
The theorem follows. | 


The multi-source case. We now extend the lower bound construction to support the case of 
multiple sources SPY for any cardinality of sources. 

Proof: [Thm. 4.1 for any 1 < cr < n] Given a parameter a representi ng t he number of sources, 

each copy consists of 


4.2 


a copies, G[,... ,G'^, of Gf{d), where d = 0((n/cr)^/('^+^)). By Obs. 

0{n/a) nodes. Let m be the node and Si = r(G() in the Ah copy G'. Add a node v* connected 
to a set X of 0{n) nodes and connect v* to each of the nodes y,, for i G {1,..., d}. Finally, connect 
the set X to the a leaf sets Leaf(G'^),... ,Leaf (G'^) by a complete bipartite graph, adjusting the 
size of th e set X in the construction so that |P(G)| = n. Since nLeaf(G() = (see 

Obs. 4.2), overall |L1(G)| = 0(n • cr • nLeaf (G/(d))) = n(cr^/('^+^) • Since the path from 

each source Sj to X cannot aid the nodes of G'- for j i, the analysis of the single-source case can 
be applied to show that each of the bipartite graph edges in necessary upon a certain sequence of 
at most /-edge faults. | 
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Figure 10: The graph Gi{d). 



Figure 11: Lower bound construction for dual failure FT-BFS structure. The set of X vertices is 
fully connected to the leaf set of each of the d copies of Gi{d). Overall \E{G 2 )\ = 0{n^/‘^). The 
dashed wide edge is required in any dual failure FT-BFS structure upon the faults of the edges 
marked in figure. 
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Figure 12: Schematic illustration of Gj. The set of X nodes are fully connected to the leaf set of 
Gf-i{d) graphs. Each such edge is necessary for a certain fault set. 


5 O(log n)- Approximation for constructing the minimum /-failure 
FT-BFS structure 

In Sec. we presented an algorithm that for every graph G and source s constructs a dual 
failure FT-BFS H with edges. In Sec. we showed that there exist graphs G and source 

set S C V{G) for with every FT-BFS HOG with respect to S overcoming up to /-faults has 

edges, establishing tightness of our algorithm for the case of l^l = 1 

and / = 2 in the worst-case. 

In this section consider the Minimum FT-MBFS that aims at finding the minimum size structures 
that tolerant against /-faults for any given set of sources S. The Minimum FT-MBFS has been 
defined and studied by [TO] for the single failure case (i.e., / = 1). We extend the result of [TO| 
to the general case of constant / > 1 and provide a O(logn) approximation algorithm for this 
problem. 

The importance of this result is of twofold. First, for / = 2, although our universal upper 
bound matches the existential lower bound, there are also inputs {G',s') for which the algorithm 
of Sec. might still produce an FT-BFS H which is denser by a factor of than the size of 

the optimal FT-BFS structure. For the case of / = 1, an example of such a graph is given by m, 
this example can easily be modified to / = 2 by the lower bound construction of Sec. Second, 
for general / > 3, while a tight universal upper bound on the size of /-fault FT-BFS structures is 
currently beyond our reach, we can still construct such structures whose size is larger by a factor 
of O(logn) than the optimal /-fault FT-BFS structures. Although this section is a straightforward 
extension of cni, for completeness, we provide a full analysis and begin by defining the problem 
formally. For a graph G = {V,E), a source set 5 C 1/ and number of faults / > 1, let 'H{S,G,f) 
be the collection of all subgraph HOG that are FT-MBFS with respect to S overcoming up to 
/-faults, that is the subgraphs HOG satisfying that dist(s, v,H \ F) = dist(s, v,G\ F) for every 
{s,v) ^ S X V and F O F where \F\ < f. Let Cost*(5, G, f) = min{|E(Lf)| | H G H{S, G, /)}. 
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In the Minimum FT-MBFS problem, we are given a graph G, a source set SCI/ and number of 
faults / > 1 and the goal is to compute an /-fault FT-MBFS H G H(S, G, f) of minimum size, i.e., 
such that \E{H)\ = Cost*(S, G,/). 

Similarly to m, it can be shown that the Minimum FT-MBFS problem for any constant / > 
1 and |S| > 1, is NP-hard and moreover, cannot be approximated (under standard complexity 
assumptions) to within a factor of fl(logn). 

We now turn to describe a O(logn) approximation algorithm given an input (S, G,/). To 
prove theorem |1.3[ we first describe the algorithm and then bound the number of edges. Let 
ApproxSetCover((J, 17) be an O(logn) approximation algorithm for the Set-Cover problem, which 
given a collection of sets 'S = {Si,..., Sm} that covers a universe U = {ui,... ,U]\f} of size N, 
returns a cover C that is larger by at most 0{logN) than any other C that covers U (cf. 

my 

The Algorithm. Starting with 77 = 0, the algorithm adds edges to 77 until it becomes an /-fault 
FT-MBFS structure. 

Set an arbitrary order on the vertices V{G) = {ui,... ,u„} and define Up = {T’ C (£'(G)U{0})} 
be the collection of all possible k < f edge failures in G. Note that Up contains also the empty 
set, corresponding to the fault free case. In addition, note that \Up\ = 0{n^), hence of polynomial 
size for constant number of faults /. Let 

U = {{sk,F) I SkGS,FGUp}. 

The algorithm consists of n rounds, where in round i it considers Vi. Let r(i;j, G) = {ui,..., 
be the set of neighbors of Vi in some arbitrary order, where di = deg(ui, G). For every neighbor uj, 
define a set Stj C U containing elements of U. Informally, a set Sij contains the pair {sk,F) G U 
if there exists an Sk — Vi shortest path in G \ 7^ that goes through the neighbor Uj of Vi. Note that 
Sij contains the pair {sk, 0) for every Sfc G S' iff there exists an Sfc — Vi shortest-path in G that goes 
through Uj. Formally, the pair {sk,F) is included in every set Sij satisfying that 

dist(sfc, Uj,G\ F) = dist(sfc, Vi, G \ F) — 1. (16) 

Let = {Si^i,..., Si^di}- The edges incident to Vi that are added to 77 in round i are now selected 
by using algorithm ApproxSet Cover to generate an approximate solution for the set cover problem 
on the collection 5 = {Si,j \ Uj G F(ui, G)}. Let = ApproxSetCover(5'i, 77). For every Sij G 
add the edge (uj, Vi) to 77. 

Analysis. We first show that algorithm constructs an /-FT-MBFS 77 G 77(S, G, /) and then bound 
its size. 

Lemma 5.1 77 G 77(S, G, /). 

Proof: Assume, towards contradiction, that 77 ^ 77(S, G, /). Let s G S be some source vertex such 
that 77 ^ 77({s},G,/) is not an /-FT-BFS structure with respect to s. By the assumption, such s 
exits. Let 


BP = {(i, 7^) I Uj G I/, 7^ G 7/i;’ and dist(s, Vi, H \ F) > dist(s, Vi, G \ 7^)} 

be the set of “bad pairs,” namely, vertex, faulty-set pairs {i, F) for which the s — Vi shortest path 
distance in 77\7^ is greater than that in G\F. (By the assumption that 77 ^ 77({s}, G, /), it holds 
that BP / 0.) 
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For every pair {i,F), where Vi £ ^\{'S} and F £ Up, define an s — Vi shortest-path Pi^p in G\F 
in the following manner. Let Uj £ r{vi,G) be such that the pair {s,F) £ Sij is covered by the 
set Sij of Uj and Sij £ is included in the cover returned by the algorithm ApproxSetCover in 
round i. Thus, {uj,Vi) £ H and dist(s, Uj,G\F) = dist(s, Vi, G\F) — 1. Let P' £ SP{s, Uj,G \ F) 
and define 

Pi,F = P' O {Uj,Vi). 

By definition, \Pi^p\ = dist(s, Vi, G\ F) and by construction, LastE(Pj^i 7 ’) G H. Define BE{i, F) = 
Pi^p \ E{H) to be the set of “bad edges,” namely, the set of Pi^p edges that are missing in H. By 
definition, BE{i, P) / 0 for every bad pair (z, P) £ BP. Let d{i, F) = maXegB£;(i,F){dist(s, e, Pi^p)} 
be the maximal depth of a missing edge in BE{i, F), and let DM (i, P) denote that “deepest missing 
edge” for (i, P), i.e., the edge e on Pi^p satisfying d{i, P) = dist(s, e, Pi^p). Finally, let {i', F') £ BP 
be the pair that minimizes d{i,F), and let ei = £ BE{i',F') be the deepest missing edge 

on Pp^p', namely, ei = DM{i',F'). Note that ei is the shallowest “deepest missing edge” over 
all bad pairs (i,P) £ BP. Let Pi = Pi^^^p', P 2 = Pp p'[s,Vi^] and P 3 = P^* Uj/]; Note that 

since {i'^F') £ BP, it follows that also {i\,F') £ BP. (Otherwise, if (zi,'p') ^ BP, then any 
s —shortest-path P' £ SP{s,Vi^,H\F') , where |P'| = \Pi.^^pi\, can be appended to P 3 resulting 
in P" = P' o P 3 such that (1) P" <£ H \ F' and (2) \P"\ = |P'| + IP 3 I = jPs] -h IP 3 I = \Pp,P'\, 
contradicting the fact that {i',F') £ BP.) Thus we conclude that (zi,P') £ BP. Finally, note that 
LastE(Pi) G P by definition, and therefore the deepest missing edge of (i,P) must be shallower, 
i.e., d{ii,F') < d{i',F'). However, this is in contradiction to our choice of the pair {i',F'). The 
lemma follows. | 

Size analysis. Let W : E{G) —?• M>o be the weight assignment that guarantees the uniqueness 
of shortest-paths (i.e., breaks ties between of shortest-paths of the same lengths, in a consistent 
manner). Note that the algorithm did not use W in the computation of the shortest-paths. For every 
node Vi, let T{vi,G) = {ui,... ,Udi} be its ordered neighbor set as considered by the algorithm. 
For every FT-MBFS tree H £ 'H{S,G, f), Vi £ V, F £ Up and source Sk £ S, let Pi{sk,F) £ 
SP{sk, Vi, H \ F, W) be an s^ — Vi shortest-path in P \ P. Let 

Ti(P) = {LastE(Pi(sA:,P)) I {sk,F)£U] 

be the edges incident Vi that appear as last edges in the shortest-paths and replacement paths from 
S to Vi in P. Define 

^,{H) = {S,,j I {uj,Vi)£Ai{H)]. 

We then have that 

\UH)\ = \MH)\ ■ (17) 

The correctness of the algorithm (see Lemma |5.1[ ) established that if a subgraph H Q G satisfies 
that ^i{F[) is a cover of U for every Vi £ V, then P £'H{S, G, /). We now turn to show the reverse 
direction. 

Lemma 5.2 For every H £'H{S,G,f), the collection ^i{H) is a cover of U, namely, [Jg. .gy.(ii-) *S'ij 
U, for every Vi £ V. 

Proof: Assume, towards contradiction, that there exists an /-fault FT-BFS P G 'H{S,G, f) and a 
vertex Vi £ V whose corresponding collection of sets ^i{H) does not cover U. Hence there exists 
at least one uncovered pair {sk,F) £ U, i.e., 

{sk,F)£U\ U Si,j . (18) 
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We next claim that H does not contain an optimal s^—Vi path when the edges of F fail, contradicting 
the fact that H G, /). That is, we show that 

dist{sk,Vi,H \F) > dist{sk, Vi, G\F). 


Towards contradiction, assume otherwise, and let {uj,Vi) = LastE(Pj_^) where Pi^p G SP{sk,Vi,H\ 
F,W), hence {uj,Vi) G Ai{H) and G ^i{F[). By the contradictory assumption, |-Pi,_F| = 


dist(sfc,Ui,G \ F) and hence dist{sk,Uj,G \ F) = dist(sfc,Ui,G \ F) — 1. 
follows. I 


I,] £ in contradiction to Eq. (18), stating that {sk,F) is not covered by ^i{H) 


This implies that F G 
The lemma 


We now turn to bound that number of edges in H. 


Lemma 5.3 \E{F[)\ < O(logn) • Cost*(5, G, /). 


Proof: Let F* G T-L{S,G,f) be an optimal/-fault FT-MBFS satisfying that \E{H*)\ = Cost* {S,G, f). 
Let 6 = c ■ logn be the approximation ratio guarantee of Algorithm ApproxSetCover. For ease of 
notation, let Oi = Ai{H*) for every Vi G V. Let = {5*1,1, • ■ •, 5^,^.} be the collection of Vi sets 
considered at round i where Sij C [/ is the set of the neighbor Uj G T{vi,G) computed according 
to Eq. (fTbj). 


Let = ApproxSetCover(5i, U) be the cover returned by the algorithm and define Ai = 
{{uj,Vi) I Sij G as the collection of edges whose corresponding sets are included in 5'. Thus, 
by Eq. ([^, |Oj| = \di{H*)\ and \Ai\ = |5'| for every Vi G V. 


Observation 5.4 \Ai\ < S\Oi\ for every Vi G V. 


Proof: Assume, towards contradiction, that there exists some i such that \Ai\ > 5|Oi|. Then by Eq. 
0 and by the approximation guarantee of ApproxSetCover where in particular \^i{H)\ < 5\^i\ 
for every C that covers U, it follows that ^i{F[*) is not a cover of U. Consequently, it follows 
that H* ^ 'H{S,G, f), contradiction. The observation follows. 


by Lemma 


5.2 


I 


Since |J Ai contains precisely the edges that are added by the algorithm to the constructed 
/-faults FT-MBFS structure H, we have that 


\E(H)\ < \Oi\ < 25 ■ Cost*(S', G, f) , 

i i 


where the second inequality follows by Obs. 5.4 and the third by the fact that \E{H*)\ > Y2- |Oi|/2 
(as every edge in counted at most twice, by both its endpoints). The lemma 

follows. I 


Thm. O is established. 
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